A critical vulnerability was discovered in the widely used Spring Java framework, which we also use on many of the projects we develop. Immediately after the discovery, we reviewed all projects for our customers and none of them were affected by the new vulnerability. Nevertheless, we have updated all our applications.
The CVE-2022-22965, as it is known, allows remote code execution by exploiting data binding. The vulnerability is often referred to as SpringShell (or Spring4Shell) and it applies to the following:
- applications which use Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or older;
- applications which are dependent on spring-webmvc or spring-webflux;
- applications which run on JDK 9 or newer;
- applications which compiled as WAR and are run in a separate instance of Tomcat;
- applications which use Apache Tomcat as the Servlet container.
Framework fixes already exist (Spring Framework 5.3.18 or 5.2.20, and greater, Spring Boot 2.6.6 and 2.5.12). If you do not have the ability to upgrade fast enough, you can use one of the workarounds:
- upgrade Apache Tomcat to version 10.0.20, 9.0.62, or 8.5.78;
- downgrade to Java 8;
- disable abuse of exploitable attributes in the application configuration.
Complete information on possible workarounds and the vulnerability itself is available in the official announcement.