[Update] Zero-Day Vulnerability in Spring Framework

Published on 31 Mar 2022

Updated on 01 Apr 2022

Update on 1 Apr 2022:

The security patch for the zero-day vulnerability (CVE-2022-22965) in Spring Framework is now available. 

The vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions running on JDK version 9.0 and above. 

Affected users are advised to upgrade their Spring Framework to versions 5.3.18 and 5.2.20 immediately. If users are unable to update their Spring Framework, they are advised to apply the suggested workaround. More information on the vulnerability and the suggested workaround can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Original alert published on 31 Mar 2022:

Security researchers have discovered a zero-day remote code execution vulnerability in the Spring Framework. The vulnerability exists in the Spring Core with the Java Development Kit (JDK) version 9.0 and above.

Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code on the target device.

The patch for this vulnerability is not available yet. In the meantime, users are advised to apply the following temporary protection and mitigation measures.

Web Application Firewall Protection
Implement rule filtering for strings such as "class.*", "Class.*", "*.class.*", and "*.Class.*" according to the actual traffic situation of deployed services. Test business operations after implementing the rule filtering.

Temporary Mitigation Measures
Both steps below must be performed for the temporary mitigation of the vulnerability.  

1. Search the application group globally for the @InitBinder annotation and see if the dataBinder.setDisallowedFields method is called inside the method. Where the introduction of this code snippet is found, add {"class.*", "Class.*", "*.class.*", "*.Class.*"} to the original black list. 

2. Create the global class under the project package of the application system and ensure the class is loaded by Spring. Next, recompile and repackage the project, verify the functionality, and republish the project.

 

More information is available here:
https://www.javai.net/post/202203/spring-0day-vulnerability/
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/#applying-mitigations
https://www.praetorian.com/blog/spring-core-jdk9-rce/
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html