A report was made to VMWare recently, detailing an exploit in Spring MVC and Spring WebFlux application running on JDK 9+, dubbed “Spring4Shell”. These applications may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
For an application to be fully vulnerable to the currently known vectors, the additional pre-requisites will be required:
- JDK v9 or above
- Apache Tomcat versions below 10.0.20, 9.0.62, and 8.5.78
- The application must be packaged as a WAR (in contract to a Spring Boot executable jar)
- Utilising either the spring-webmvc or spring-webflux dependencies
The risk associated with this vulnerability is ‘High’; however, this is only if you are running on one of the following framework versions:
- Spring Framework
- 3.0 to 5.3.17
- 2.0 to 5.2.19
- Older, unsupported versions are also affected
Users of affected versions should apply the following mitigation:
- 5.3.x users should upgrade to 5.3.18+,
- 5.2.x users should upgrade to 5.2.20+.
No other steps are necessary.
Corroborating information has been provided by VMWare:
https://tanzu.vmware.com/security/cve-2022-22965
If you have any concerns regarding this matter, please contact Daisy via our Service Desk team on 0330 024 3333 or our Customer Portal.