{
  "threat_severity" : "Important",
  "public_date" : "2022-03-30T00:00:00Z",
  "bugzilla" : {
    "description" : "spring-framework: RCE via Data Binding on JDK 9+",
    "id" : "2070348",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2070348"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", "A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine." ],
  "statement" : "The reporter of this flaw provided a proof-of-concept that relied on Apache Tomcat; it accessed the classloader and changed logging properties to place a web shell in Tomcat's root directory, and was able to call various commands subsequently.\nThere are several conditions required to achieve this exploit:\n-Java 9 or newer version\n-Apache Tomcat as the Servlet container\n-packaged as WAR file\n-spring-webmvc or spring-webflux dependency\n-no protections in place against malicious data bindings (ex: WebDataBinder allow list)\nThere may be other exploit paths than this, possibly not utilizing Tomcat.",
  "affected_release" : [ {
    "product_name" : "CEQ 2.2.1-1 (CVE-2022-22965)",
    "release_date" : "2022-04-11T00:00:00Z",
    "advisory" : "RHSA-2022:1306",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.2.1"
  }, {
    "product_name" : "Red Hat AMQ 7.8.6",
    "release_date" : "2022-04-27T00:00:00Z",
    "advisory" : "RHSA-2022:1626",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat AMQ 7.9.4",
    "release_date" : "2022-04-27T00:00:00Z",
    "advisory" : "RHSA-2022:1627",
    "cpe" : "cpe:/a:redhat:amq_broker:7",
    "package" : "spring-webmvc",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Fuse 7.10.2",
    "release_date" : "2022-04-13T00:00:00Z",
    "advisory" : "RHSA-2022:1360",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "spring-webmvc",
    "impact" : "low"
  }, {
    "product_name" : "RHDM 7.12.1 async",
    "release_date" : "2022-04-14T00:00:00Z",
    "advisory" : "RHSA-2022:1379",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.12",
    "package" : "spring-webmvc",
    "impact" : "low"
  }, {
    "product_name" : "RHINT Camel-K 1.6.5",
    "release_date" : "2022-04-12T00:00:00Z",
    "advisory" : "RHSA-2022:1333",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "spring-beans",
    "impact" : "low"
  }, {
    "product_name" : "RHPAM 7.12.1 async",
    "release_date" : "2022-04-14T00:00:00Z",
    "advisory" : "RHSA-2022:1378",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.12",
    "package" : "spring-webmvc",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Affected",
    "package_name" : "spring-beans",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Fix deferred",
    "package_name" : "spring-webmvc",
    "cpe" : "cpe:/a:redhat:jboss_amq:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Fix deferred",
    "package_name" : "spring-webmvc",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhvm-dependencies",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-22965\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22965\nhttps://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement\nhttps://tanzu.vmware.com/security/cve-2022-22965\nhttps://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html\nhttps://www.praetorian.com/blog/spring-core-jdk9-rce/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "csaw" : true,
  "name" : "CVE-2022-22965",
  "mitigation" : {
    "value" : "For those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string \"class.*\" \nFor full implementation details, see Spring's early announcement post in the \"suggested workarounds\" section: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds",
    "lang" : "en:us"
  }
}