Security professionals have identified a new zero-day vulnerability in the Spring Framework, an application development framework for Java. This vulnerability (tracked as CVE-2022-22965) can allow attackers to execute unauthenticated remote code. Spring has released Spring Framework versions 5.3.18 and 5.2.20 which addresses this vulnerability, and Barracuda MSP’s SOC recommends updating as soon as possible.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A remote code execution vulnerability currently exists in the Spring Framework. It allows attackers to perform unauthenticated remote code execution attacks. The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+ on any Spring Framework version that is prior to 5.2.20 and 5.3.18.
WHY IS IT NOTEWORTHY?
Spring is a widely utilized application development framework for Java, and many applications both enterprise and personal could be at risk. Internet-exposed applications should be updated to fix versions as soon as possible to stop attackers from detecting vulnerable applications with a simple scan and from exploiting this vulnerability by sending a specially crafted HTTP request.
WHAT IS THE EXPOSURE OR RISK?
Spring MVC or Spring WebFlux applications running on JDK 9+ can be vulnerable against this remote code execution via the data binding. Data Binding allows user input to be dynamically bound to the domain model of an application. When exploited, this vulnerability can allow attackers to execute arbitrary code on targeted systems.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP’s SOC recommends the following actions to help mitigate this threat:
- Upgrade to Spring Framework version 5.3.18 and 5.2.20
- For affected applications, monitor process execution and application logs for anomalous behaviour
- If you don’t have a Web Application Firewalls (WAF) deployed in front an affected Spring-based applications, consider deploying a WAF as many WAF vendors will publish definition to help protect against such attack.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.