RHSB-2022-003 Spring Remote Code Execution - (CVE-2022-22963, CVE-2022-22965)
Executive summary
Red Hat Product Security is aware of two vulnerabilities affecting the Spring MVC (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) components of the Spring Framework. There are published proof of concept attacks that can lead to remote code execution and reports of exploitations of this vulnerability.
Red Hat Product Security rated CVE-2022-22963 (Spring Cloud) as a Critical impact . The Spring MVC flaw CVE-2022-22965 has been branded Spring4Shell by the finder, and rated with a severity impact of Important.
The following Red Hat product versions are affected. “Affected” means that the vulnerability is present in the product’s code, irrespective of the usage or mitigations, which may be addressed if the product is vulnerable.
Spring Cloud (CVE-2022-22963)
Openshift Serverless
Spring MVC (CVE-2022-22965)
Red Hat Decision Manager 7
Red Hat Process Automation Manager 7
Red Hat Enterprise Virtualization 4
Red Hat AMQ Messaging 6.3
Red Hat AMQ Messaging 7
Red Hat Fuse 6
Red Hat Fuse 7
Technical summary
The CVE-2022-22965 flaw lies in Spring Framework, specifically in two modules called Spring MVC and Spring WebFlux. An attacker can pass in specially-constructed malicious requests with certain parameters and possibly gain access to normally-restricted functionality within a Java Virtual Machine.
Spring has provided update fixes (Spring Framework 5.2.20 & 5.3.18). The details are in Spring.io's early announcement post. The CVE advisory cautions that the vulnerability is "general, and there may be other ways to exploit it."
Red Hat Product Security advises everyone using the affected software to upgrade to fixed versions as soon as possible.
The CVE-2022-22963 flaw was found in Spring Cloud function, in which an attacker could pass malicious code to the server via an unvalidated HTTP header, spring.cloud.function.routing-expression
. A payload of expression language code results in arbitrary execution by the Cloud Function service. Spring has released fixes for Spring Cloud Function, 3.1.7 and 3.2.3.
Affected customers should update the software as soon as patched software is available.
Mitigation
For CVE-2022-22965, Red Hat Product Security strongly recommends affected customers update their affected products once the update is available. For customers who cannot update immediately, risk and exposure can be reduced by the following measures:
Use OpenJDK 8 or lower.
Deploy Spring as an executable jar instead of a WAR file.
Remove
spring-webmvc
orspring-webflux
dependencies.
For CVE-2022-22963, no other mitigation steps are currently available and affected customers should update immediately as soon as patched software is available.
Technical details
The CVE-2022-22965 flaw in Spring MVC and Spring WebFlux uses parameter data binding, a way of mapping request data into objects the application can use.
The reporter of this flaw provided a proof-of-concept that relied on Apache Tomcat; it accessed the classloader and changed logging properties to place a web shell in Tomcat's root directory, and was able to call various commands subsequently.
There are several conditions required to achieve this exploit via the published Proof of Concept:
Java 9 or newer version
Apache Tomcat as the Servlet container
packaged as WAR file
spring-webmvc
orspring-webflux
dependencyno protections in place against malicious data bindings (ex:
WebDataBinder
allow list)
There may be other exploit paths than this, including using an alternative to Tomcat.
The CVE-2022-22963 flaw occurs in the Spring Cloud Function module, via the spring.cloud.function.routing-expression
header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.
Updates for affected products
Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available.
Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.
Product | Component(s) | Advisory/Update [1] |
Red Hat Decision Manager 7 | spring-webmvc | |
Red Hat Process Automation Manager 7 | spring-webmvc | |
Red Hat AMQ Messaging 6.3 | spring-webmvc | Will not fix |
Red Hat AMQ Messaging 7 | spring-webmvc | |
Red Hat Fuse 6 | spring-webmvc | Will not fix |
Red Hat Fuse 7 | spring-webmvc | |
Red Hat Enterprise Virtualization 4 | rhvm-dependencies | Will not fix |
Red Hat Camel K 1 | spring-beans | RHSA-2022:1333 |
Red Hat Camel Quarkus 1 | spring-beans | RHSA-2022:1306 |
[1] Advisory/Update link will be added once updates are live.
Diagnose
A vulnerability detection script has been developed to determine if your system is currently affected by this flaw. To verify the authenticity of the script, you can download the detached OpenPGP signature as well. Instructions on how to use GPG signatures for verification are available on the Customer Portal.
Ansible Playbook
Additionally, an Ansible playbook is available to run the detection script on many hosts at once. The playbook requires an additional vars file, which controls its operation. Detached GPG signatures are available for the playbook and its vars file. After downloading the playbook and its associated vars file, edit the vars file to tailor it to your environment.
You should specify:
detector_path: The path the detection script will scan for vulnerable archives.
detector_dir: The playbook will copy the detection script to this directory on remote hosts.
detector_run_dir: The path the detection script will use for temporary storage.
To run the playbook, you will need to specify two extra vars on the command line:
HOSTS: The host(s) or group(s) to scan, as defined in your Ansible inventory.
vars_file: The path to the vars file.
For example:
# ansible-playbook -e HOSTS=all -e vars_file=cve-2022-22963-vars.yml cve-2022-22963-script-runner.yml
FAQ
Q: Does the application server matter? Reports emphasize Tomcat - is the situation different for Wildfly/JBoss?
A: There are no other official PoC exploits referred to in the Spring documentation, but several people have pointed out that this is likely not the only exploit path. So while we can't say other app servers are vulnerable, we can't say with 100% confidence they are clear, either.
Even on a flat classpath (no classloader per deployment) it IS possible to at least set the java.lang.ClassLoader#defaultAssertionStatus
flag using vulnerable binding mechanism from Spring Beans 5.3.17 or earlier. While Wildfly, JBoss EAP, Tomcat, etc may not contain the vulnerable code, Red Hat recommends updating any applications packaging Spring Beans to resolve the CVE.
Q: I use a Red Hat product (for example, RHEL) and it is not listed on this page and the CVE pages. Is it affected?
A: If it is not listed in this document and on the CVE Pages marked as “Affected,” then the product is not affected by these CVEs.
Q: What is the distinction between “Affected” and “Vulnerable”?
A: Affected means that the flawed code exists in the product. Vulnerable means that it is actually exploitable in the product. It is perfectly possible to have “Affected but not Vulnerable” situations - that happens when the functionality is disabled, not exposed, mitigated, etc.
References
https://tanzu.vmware.com/security/cve-2022-22963
https://tanzu.vmware.com/security/cve-2022-22965
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
How to use GPG to verify signed content from Product Security
Comments