3:25pm, 1 April 2022
Active exploitation of RCE in Java’s Spring Framework
Updated: 2:30pm, 1 April 2021 to provide the latest information on version upgrades and new vulnerability information
There are two critical RCE vulnerabilities in Java’s Spring Framework.
- A new critical Remote Code Execution (RCE) vulnerability (CVE-2022-22963) was discovered in Java’s Spring Cloud Functions. There are patches available for this vulnerability which should be applied to affected systems as soon as possible.
- A vulnerability (CVE-2022-22965) in Spring Core that could lead to unauthenticated RCE, has also been discovered. It has been titled by some researchers as “Spring4Shell” or “SpringShell”.
There are reports of proof-of-concept code and active exploitation for both vulnerabilities.
What to look for
How to tell if you're at risk
For CVE-2022-22963, you’re at risk if you are using Spring Cloud versions earlier than:
For CVE-2022-22965, Spring4Shell, you’re at risk if you are using Spring Core:
- With Spring Framework version 5.3.0 to 5.3.17
- With Spring Framework version 5.2.0 to 5.2.19
- With older Spring Framework version
For Spring4Shell vulnerability, you’re at risk if you are using:
- JDK9 and above
- Spring-Beans package
- Spring parameter binding
- Spring parameter binding that uses non-basic parameter types, such as general POJOs
For Spring4Shell you can check if you vulnerable using the Vulnerability scanner External Link
What to do
For CVE-2022-22963 upgrade to Spring Cloud Function version:
- 3.1.7 (or higher)
- 3.2.3 (or higher)
For CVE-2022-22965 upgrade to Spring Core with Framework version:
- 3.18 (or higher)
- 2.19 (or higher)
For Spring4Shell vulnerability:
- On your Web Application Firewall, implement filtering and monitoring rules referencing “class” ("class.*", "*.class.*", "Class.*", and "*.Class.*")
- If you use YARA, check this page on how to detect Spring4Shell: YARA rules to detect Spring4Shell related activities External Link
- Monitor Lunasec's blog for latest updates on further mitigation measures: Lunasec's blog summary of both Spring vulnerabilities External Link
Monitor latest updates for further mitigation measures:
Official post from Spring: Spring Framework RCE, Early Announcement External Link
Cyber Kendra's blog post for Spring4Shell External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.