2022-03-31 CVE-2022-22965 RCE 0-day exploit found in Spring Framework
On March the 31st, a 0-day exploit in the popular Spring Framework was discovered that results in Remote Code Execution (RCE) via Data Binding on JDK 9+.
Applications that use spring-webmvc or spring-webflux are vulnerable if run on Apache Tomcat, packaged as WAR and using JDK 9+.
These are the requirements for the specific scenario from the report:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released
Spring Boot 2.6.6 and 2.5.12 that depends on Spring Framework 5.3.18 have been released.
How to patch it
If you are able to upgrade to Spring Framework 5.3.18 and 5.2.20, nothing else should be done. Otherwise, there are some suggested workarounds and you can always contact the developers of your application to get other alternatives.
While the vulnerability is not in Tomcat itself, Apache Tomcat already released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side. For older, unsupported versions of the Spring Framework, the Tomcat releases provide an adequate solution for the reported attack vector. The main goal should still be to upgrade to a currently supported Spring Framework version. Here you can find more info about this mitigation path.
- 100% of the VMs bundling Tomcat have been released
- 86% of the VMs bundling Tomcat have been released. We are still working on the pending ones.
- New Tomcat versions containing the patch were released in all supported formats.
- 100% of the Containers and Helm charts bundling Tomcat have been released.
- 63% of the VMs bundling Tomcat have been released. We are still working on the pending ones.
Bitnami team is actively tracking and releasing any new application versions that ship a fixed version of Spring Framework and Tomcat for every format (virtual machines, containers, Helm charts) and for every supported Cloud Marketplace.
Do you have more questions? You can open an issue in this github repository. Our support team will be happy to help you there.