At time of posting, Origina is working with our Global IBM Experts and partners to analyse CVE-2022-22965 (Spring4Shell) vulnerability to determine if this vulnerability impacts IBM products, which to our knowledge, has yet to be disclosed by IBM.
NIST (National Institute of Standards and Technology) Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of this vulnerability is more general, and there may be other ways to exploit it.
How to determine if you are vulnerable to CVE-2022-22965?
According to Spring, to exploit the vulnerability, there are some prerequisites that the target should have:
Java Development Kit (JDK) 9 or greater and
Apache Tomcat as the Servlet container and
Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted and
Spring-webmvc or spring-webflux dependency and
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader.
The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation.
The issues do not relate to @RequestBody controller method parameters (e.g., JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.
Prevention and Mitigation Options as proposed by Spring and Apache
The preferred response as recommended by Spring is to update to Spring 5.3.18 and 5.2.20 or greater
Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation Alternative.
Considering Updating your Web Application Firewall (WAF) Policy to block the current exploit
Considering Performing enhanced monitoring of your network that meets the prerequisite criteria (above).
Consider updating your SIEM solution with the latest Indicators of Compromise (IoC’s) as they are developed.
Origina continues to investigate this vulnerability and its potential impact, if any, to IBM products. If you are a current Origina customer and have any particular concerns and/or questions on if this vulnerability impacts your IBM implementation, then please reach out to Origina at email@example.com or through the Self-Service Portal.
If you are not a current customer and require support, please call a member of our sales team:
DUBLIN: + 353 (1) 524 0012
LONDON: +44 2033 183790