Security news that informs and inspires

Researchers Warn of RCE Bug in Spring Framework

UPDATE--There is a vulnerability in the Spring Core Java framework, which in certain configurations, is simple to exploit and can lead to remote code execution. There are some exploits circulating, but they’re not universally effective.

The vulnerability affects Spring Core on JDK9+ and researchers have confirmed that the vulnerability can lead to remote code execution under some specific circumstances.

"The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it," Rossen Stoyanchev, a Spring committer, said in an advisory Thursday.

Researchers have developed a reliable method to exploit the flaw, but as Stoyanchev said, it requires some specific configurations.

“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective,” an analysis of the vulnerability by Anthony Weems and Dallas Kaman of Praetorian says.

“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application. For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk. However, if Spring is deployed using the Embedded Tomcat Servlet Container the classloader is a LaunchedURLClassLoader which has limited access.”

Spring Framework 5.3.18 and 5.2.20 have been released to address the bug (CVE-2022-22965).

"The issue was first reported to VMware late on Tuesday evening, close to Midnight, GMT time by codeplutos, meizjm3i of AntGroup FG. On Wednesday we worked through investigation, analysis, identifying a fix, testing, while aiming for emergency releases on Thursday. In the mean time, also on Wednesday, details were leaked in full detail online," Stoyanchev said.

The vulnerability itself allows the attacker to bypass the fix for a 12-year-old bug in Spring that allowed an attacker to execute arbitrary code by sending a specific HTTP request to a vulnerable endpoint, followed by a malicious .jar file.

On Wednesday, reports of the Spring vulnerability began to circulate and a working exploit written in Chinese was later posted to GitHub. Researchers soon confirmed the exploitability of the bug and the analysts at Praetorian shared the details of their research with the Spring maintainers. There is no fix available for the vulnerability yet, but the Praetorian researchers recommend that enterprises running vulnerable versions of the Spring framework add dangerous DataBinder patterns to a blocklist to prevent them from being reachable.

This story was updated on March 31 to add information from the Spring advisory.