Spring4Shell Vulnerability Update – April 6, 2022

Spring4Shell

CVE-2022-22965

Critical Severity

At time of posting, Origina is working with our Global IBM Experts and partners to analyse CVE-2022-22965 (Spring4Shell) vulnerability to determine if this vulnerability impacts IBM products, which to our knowledge, has yet to be disclosed by IBM.

CVE-2022-22965

NIST (National Institute of Standards and Technology) Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of this vulnerability is more general, and there may be other ways to exploit it.

How to determine if you are vulnerable to CVE-2022-22965?

According to Spring, to exploit the vulnerability, there are some prerequisites that the target should have:

Java Development Kit (JDK) 9 or greater and

Apache Tomcat as the Servlet container and

Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted and

Spring-webmvc or spring-webflux dependency and

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Additional Notes:

The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader.

The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation.

The issues do not relate to @RequestBody controller method parameters (e.g., JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.

Prevention and Mitigation Options as proposed by Spring and Apache

The preferred response as recommended by Spring is to update to Spring 5.3.18 and 5.2.20 or greater

Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation Alternative.

Considering Updating your Web Application Firewall (WAF) Policy to block the current exploit

Considering Performing enhanced monitoring of your network that meets the prerequisite criteria (above).

Consider updating your SIEM solution with the latest Indicators of Compromise (IoC’s) as they are developed.

Origina continues to investigate this vulnerability and its potential impact, if any, to IBM products. If you are a current Origina customer and have any particular concerns and/or questions on if this vulnerability impacts your IBM implementation, then please reach out to Origina at support@origina.com or through the Self-Service Portal.

If you are not a current customer and require support, please call a member of our sales team:

DUBLIN: + 353 (1) 524 0012
DALLAS: +1-888-206-4862
LONDON: +44 2033 183790