Spring Remote Code Execution Vulnerability
RISK: High Risk
TYPE: Security software and application - Security Software & Appliance
A vulnerability has been identified in Spring. A remote attacker can exploit this vulnerability to trigger remote code execution on the targeted system.
PoC exploit exists for application running
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR
- spring-webmvc or spring-webflux dependency
[Updated on 2022-04-11]
Updated System / Technologies affected, Solutions, Source and Related Links.
Impact
- Remote Code Execution
System / Technologies affected
- Spring Boot version prior to 2.6.6
- Spring Boot version prior to 2.5.12
- Spring Framework version prior to 5.3.18
- Spring Framework version prior to 5.2.20
[Updated on 2022-04-11]
For Cisco Products
For detail, please refer to the links below:
For Apache Tomcat
For detail, please refer to the links below:
Solutions
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
[Updated on 2022-04-11]
For Cisco Products
For detail, please refer to the links below:
Mitigation Alternative
For Apache Tomcat
For detail, please refer to the links below:
Note: Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability.
Vulnerability Identifier
Source
Related Link
Related Tags
Share with