Updated Apr. 1, 2022
Summary
A critical vulnerability has been found in the widely used Java framework Spring Core. While Remote Code Execution (RCE) is possible and a Proof-of-Concept has already been released, how to exploit the vulnerability can vary based on system configuration and research on it is still evolving.
Vulnerable Library
- Spring Core <= 5.2.19, <= 5.3.17
- Spring Boot <= 2.6.5
Exploit Requirements (for the known scenario)
- JDK9 and above
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- External/stand-alone Tomcat application server confirmed, other application servers unknown
Mitigations
-
Upgrade the Spring Framework to 5.3.18 or 5.2.20 or later
-
Upgrade Spring Boot to 2.6.6 or later
- Late yesterday new versions of Tomcat were released (versions 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14) that hardened the class loader against CVE-2022-22965.
Workarounds
The spring.io blog below, includes information on deploying work arounds for this vulnerability, however, these should only be used as temporary measures.
Additional Steps
If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing security@berkeley.edu
If you are using a vendor supplied Spring Framework/Boot application, please consult with your vendor on supported mitigation actions.