Описание
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.
Отчет
The reporter of this flaw provided a proof-of-concept that relied on Apache Tomcat; it accessed the classloader and changed logging properties to place a web shell in Tomcat's root directory, and was able to call various commands subsequently. There are several conditions required to achieve this exploit: -Java 9 or newer version -Apache Tomcat as the Servlet container -packaged as WAR file -spring-webmvc or spring-webflux dependency -no protections in place against malicious data bindings (ex: WebDataBinder allow list) There may be other exploit paths than this, possibly not utilizing Tomcat.
Меры по смягчению последствий
For those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*" For full implementation details, see Spring's early announcement post in the "suggested workarounds" section: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | spring-webmvc | Fix deferred | ||
| Red Hat JBoss Fuse 6 | spring-webmvc | Fix deferred | ||
| Red Hat Virtualization 4 | rhvm-dependencies | Fix deferred | ||
| CEQ 2.2.1-1 (CVE-2022-22965) | spring-beans | Fixed | RHSA-2022:1306 | 11.04.2022 |
| Red Hat AMQ 7.8.6 | spring-webmvc | Fixed | RHSA-2022:1626 | 27.04.2022 |
| Red Hat AMQ 7.9.4 | spring-webmvc | Fixed | RHSA-2022:1627 | 27.04.2022 |
| Red Hat Fuse 7.10.2 | spring-webmvc | Fixed | RHSA-2022:1360 | 13.04.2022 |
| RHDM 7.12.1 async | spring-webmvc | Fixed | RHSA-2022:1379 | 14.04.2022 |
| RHINT Camel-K 1.6.5 | spring-beans | Fixed | RHSA-2022:1333 | 12.04.2022 |
| RHPAM 7.12.1 async | spring-webmvc | Fixed | RHSA-2022:1378 | 14.04.2022 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...
Уязвимость модуля Spring Core программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код
8.1 High
CVSS3