Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)

critical Nessus Plugin ID 159374

Language:

Synopsis

The remote host contains a web application framework library that is affected by a remote code execution vulnerability.

Description

The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:

 - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

 - These are the prerequisites for the exploit:
 - JDK 9 or higher
 - Apache Tomcat as the Servlet container
 - Packaged as WAR
 - spring-webmvc or spring-webflux dependency

Note that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled as well.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.

See Also

https://tanzu.vmware.com/security/cve-2022-22965

http://www.nessus.org/u?718f9ac3

http://www.nessus.org/u?2401ae46

Plugin Details

Severity: Critical

ID: 159374

File Name: spring_CVE-2022-22965_local.nasl

Version: 1.9

Type: combined

Agent: windows, macosx, unix

Family: Misc.

Published: 3/31/2022

Updated: 5/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2022-22965

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pivotal_software:spring_framework, cpe:/a:vmware:spring_framework

Required KB Items: installed_sw/Spring Framework, installed_sw/Apache Tomcat, installed_sw/Java, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/31/2022

Vulnerability Publication Date: 3/31/2022

CISA Known Exploited Dates: 4/25/2022

Exploitable With

Metasploit (Spring Framework Class property RCE (Spring4Shell))

Reference Information

CVE: CVE-2022-22965