Spring Framework Spring4Shell (CVE-2022-22965)

critical Nessus Plugin ID 159542

Synopsis

The remote host contains a web application framework library that is affected by a remote code execution vulnerability.

Description

The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:
- A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
- These are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency

Solution

Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.

See Also

https://tanzu.vmware.com/security/cve-2022-22965

http://www.nessus.org/u?718f9ac3

Plugin Details

Severity: Critical

ID: 159542

File Name: spring4shell.nbin

Version: 1.14

Type: remote

Family: CGI abuses

Published: 4/6/2022

Updated: 8/15/2022

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2022-22965

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:pivotal_software:spring_framework, cpe:/a:vmware:spring_framework

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/31/2022

Vulnerability Publication Date: 3/31/2022

CISA Known Exploited Dates: 4/25/2022

Exploitable With

Metasploit (Spring Framework Class property RCE (Spring4Shell))

Reference Information

CVE: CVE-2022-22965