Vulnerability in the Spring Framework (CVE-2022-22965)

March 31, 2022

Updated Apr. 1, 2022

Summary

A critical vulnerability has been found in the widely used Java framework Spring Core. While Remote Code Execution (RCE) is possible and a Proof-of-Concept has already been released, how to exploit the vulnerability can vary based on system configuration and research on it is still evolving.

Vulnerable Library

  • Spring Core <= 5.2.19, <= 5.3.17
  • Spring Boot <= 2.6.5

Exploit Requirements (for the known scenario)

  • JDK9 and above
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • External/stand-alone Tomcat application server confirmed, other application servers unknown

Mitigations

  • Upgrade the Spring Framework to 5.3.18 or 5.2.20 or later  

  • Upgrade Spring Boot to 2.6.6 or later

  • Late yesterday new versions of Tomcat were released (versions 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14) that hardened the class loader against CVE-2022-22965.

Workarounds

The spring.io blog below, includes information on deploying work arounds for this vulnerability, however, these should only be used as temporary measures.

Additional Steps

If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing security@berkeley.edu

If you are using a vendor supplied Spring Framework/Boot application, please consult with your vendor on supported mitigation actions.

References