Spring Framework maintainers have released an emergency patch to address a newly discovered remote code execution flaw that could allow an unauthenticated attacker to take control of a target system if successfully exploited.
The high-severity bug tracked as CVE-2022-22965 affects Spring Framework versions 5.3.0 through 5.3.17, 5.2.0 through 5.2.19, and other older unsupported versions. Users are recommended to update to versions 5.3.18 or later and 5.2.20 or later.
The Spring Framework is a Java framework that provides infrastructure support for web application development.
“The vulnerability affects Spring MVC [model–view–controller] and Spring WebFlux applications running on [Java Development Kit] 9+,” said Spring.io’s Rossen Stoyanchev in an advisory published Thursday.
“The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable JAR, i.e. by default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general and there might be other ways to exploit it,” Stoyanchev added.
“The exploit requires an endpoint with DataBinder enabled (e.g. a POST request that automatically decodes data from the request body) and depends heavily on the servlet container for the application,” said Praetorian researchers Anthony Weems and Dallas Kaman .
However, Spring.io warned that the “nature of the vulnerability is more general” and that there might be other ways to weaponize the bug that hasn’t come to light.
The patch comes as a Chinese-speaking researcher briefly released a GitHub commit on March 30, 2022 that contained proof-of-concept (PoC) exploit code for CVE-2022-22965 before it was removed.
Spring.io, a subsidiary of VMware, noted that it was first made aware of the vulnerability “late Tuesday evening, just before midnight, GMT time by codeplutos, meizjm3i from AntGroup FG Security Lab”. It also credited cybersecurity firm Praetorian with reporting the bug.