- ID: CVE-2022-22965
- CVSS: 9.8 of 10
- Severity: Critical
- Type: Remote Code Execution
- Error type: Parameters binding error in the “getCachedIntrospectionResults” method
Technical Explanation
Spring Core on its versions after JDK9, is vulnerable to a security flaw related to an old vulnerability (CVE-2010-1622), and currently, any represented solutions for that time are bypassed.
Spring core is a famous Java framework to create modern Java web-application.
In a specific configuration, exploiting this vulnerability is simple. The attacker only needs to send an arbitrary HTTP request to a vulnerable system.
Exploiting needs an end-point with an active DataBinder (for instance, a POST request that is automatically decrypting data from the request body), and it is severely dependent on the servlet container to run the application. For example, when Spring is deployed in Tomcat Apache, the WebAppClassLoader is accessible, which lets the attacker recall the setter and getter functions. Finally, it will write a malicious JSP file on the disk. Yet, if Spring is deployed using an Embedded Tomcat Servlet Container, the loader class is a LaunchedURLClassLoader that has limited access.
This vulnerability is impacting Spring MVC and Spring WebFlux applications that are executable on +JDK9. The specific configuration to exploit this vulnerability needs the application to be deployed in a WAR package and executed under Tomcat. If the application is deployed as a Spring Boot execution jar -i.e. the default is deployed- it is not vulnerable to this vulnerability. Yet, the nature of this vulnerability is more general, and other ways are possible to exploit this flaw.
Am I vulnerable?
- Potentially vulnerable: any application that is using Spring Framework versions 5.2.20, 5.3.18, or lower along with the JDK version 9 or higher is vulnerable.
- Already vulnerable: in addition to the first term, if the application uses @RequestMapping annotation and alike (such as @PostMapping, etc.) and uses objective parameters (i.e. Plain Old Java Object (POJO)) in at least one of the functions, the threat actor using the vulnerability.
- Extremely at risk: in addition to the above terms, any application that uses Tomcat is extremely at risk of this vulnerability, because the Tomcat-based exploit codes are publicly available.
How to test the Java version
Use the java-version command to detect the vulnerable java version.
Note: run the java command from a path that is used to run your application or Tomcat.
How to test the Spring Framework version
- Check for the spring-beans-*.jar file (the “*” is the version of the program and should not be lower than 5.3.18 or 5.2.20) on your server/ application.
- Note that if you use a packed version of this application (WAR or JAR) open them once with unzip command.
Solutions
- The best and ultimate solution is to update your version to 5.3.18 or 5.2.20
- For older and not supported versions, you have to update Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 for proper protection. Yet, this is a temporary solution, and you have to update Spring Framework to a supported version as soon as possible.
- If you can’t update Spring Framework and Apache Tomcat, returning to the older version of Java 8 is acceptable.
- If none of the above is possible, Spring Framework has a feature in its DataBinder to unauthorize specific patterns. As a permanent solution, it is recommended to create a ControllerAdvice (which is a mutual Spring among controllers) and add risky patterns into the denial list that as follows:
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}