Updated Apr. 1, 2022
A critical vulnerability has been found in the widely used Java framework Spring Core. While Remote Code Execution (RCE) is possible and a Proof-of-Concept has already been released, how to exploit the vulnerability can vary based on system configuration and research on it is still evolving.
- Spring Core <= 5.2.19, <= 5.3.17
- Spring Boot <= 2.6.5
Exploit Requirements (for the known scenario)
- JDK9 and above
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- External/stand-alone Tomcat application server confirmed, other application servers unknown
Upgrade the Spring Framework to 5.3.18 or 5.2.20 or later
Upgrade Spring Boot to 2.6.6 or later
- Late yesterday new versions of Tomcat were released (versions 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14) that hardened the class loader against CVE-2022-22965.
The spring.io blog below, includes information on deploying work arounds for this vulnerability, however, these should only be used as temporary measures.
If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing firstname.lastname@example.org
If you are using a vendor supplied Spring Framework/Boot application, please consult with your vendor on supported mitigation actions.