The Spring Framework is an application framework and inversion of the control container for the Java platform developed by VMware. CVE-2022-22965 affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protections in the library’s HTTP request parser, leading to remote code execution. Multiple proof of concepts (POCs) have been published and are being used for active exploitation. The vulnerability is called “Spring4Shell” or “SpringShell”.
The developers of Spring have stated that for successful exploitation to happen, the following conditions have to be met:
Spring MVC and Spring WebFlux applications running on Java version JDK9+
The applications are running on Tomcat as a WAR deployment
While the above two conditions are what’s required, the scope of the exploit is more general. This implies that there is a chance for other exploit vectors to be present.
A malicious user could exploit this Remote Code Execution vulnerability to gain unauthorized access to the server, steal user data, and cause undesirable side effects on the vulnerable machine.
Spring Framework versions 5.3.0 to 5.3.17 and versions 5.2.0 to 5.2.19
The Spring Developers have released the security update for this vulnerability in versions 5.2.20+ and 5.3.18+. It is recommended that all users upgrade to the latest applicable patched versions ASAP. For users who cannot upgrade their Spring framework, the developers have suggested the following workarounds:
Please Enter your Email Address and Get New Updates.
