CVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+
search cancel

CVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+

book

Article ID: 238485

calendar_today

Updated On:

Products

APM CA Application Performance Management (APM / Wily / Introscope) CA Application Performance Management Agent (APM / Wily / Introscope) DX Application Performance Management

Issue/Introduction

CVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+

Vulnerability Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

There are some new vulnerabilities in Spring https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ . There is a spring cloud function vulnerability - APM does not use that. There is a "spring4shell" vulnerability relaying on classloader manipulation through query parameters of http request.

 

Environment

  • APM on Premise
  • APM 10.7.x, 10.8.x and 20.x / 21.x / 22.x

Cause

Spring4shell analysis:

The vulnerability is explained here  at https://tanzu.vmware.com/security/cve-2022-22965

This is related to insufficient black list is in (now it is fixed in the latest version): https://github.com/spring-projects/spring-framework/blob/d4192b9d355a2d4b0be959e076c255d8b5f01bcf/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java#L290

On JDK 9+ the new method "getModule()" on Class class allows an attacker to access the classloader object.

Normally, even classloader object is not very useful but in case of Apache Tomcat where WAR is deployed the WebAppClassLoaderBase is the classloader that enables access to some objects that exploit uses (specifically Tomcat's AccessLogValve through path class.classLoader.resources.context.parent.pipeline.first).

Resolution

  • APM 10.7.x Command Center (ACC) is not affected by CVE-2022-22965 due to the exclusive use of an unaffected Java classloader. Additionally all “bean” classes are fully resolved for any calls to the affected @RequestMapping methods.
  • APM 10.7 Enterprise Manager (EM) and WebView (WV) ship with Oracle Java 8 which is not affected by CVE-2022-22965.
  • APM 20.x/21.x/22.x components are not affected by CVE-2022-22965 due to the exclusive use of an unaffected Java classloader.

Additional Information

Should you have any further questions or concerns, please open a case with Broadcom Support.