Is DX Netops Spectrum vulnerable to Spring4Shell RCE CVE-2022-22963 and CVE-2022-22965?
search cancel

Is DX Netops Spectrum vulnerable to Spring4Shell RCE CVE-2022-22963 and CVE-2022-22965?

book

Article ID: 238281

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Spring4Shell: New RCE vulnerability uncovered in Java framework

A new vulnerability in the Spring Core Java framework that could allow for unauthenticated remote code execution (RCE) on vulnerable applications was publicly disclosed yesterday (March 30), before a patch was issued.

Dubbed Spring4Shell (CVE-2022-22965), proof-of-concept exploit code was leaked on GitHub shortly after its discovery. This code was swiftly removed, but not before it was downloaded by several security researchers who confirmed the vulnerability. It was also reposted on various platforms, meaning it was available to the public, including malicious actors. BleepingComputer reported that it had been told Spring4Shell was being actively exploited in attacks prior to the release of a patch for the bug. 

In a blog this morning, Spring confirmed the bug and said it had been reported to it by researchers on Tuesday night (March 29). Spring has released Spring Framework 5.3.18 and 5.2.20, which it says address the vulnerability. Corresponding Spring Boot releases are in progress.


Spring Core is a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.


The bug allows an unauthenticated attacker to execute arbitrary code on a target system. There was some initial confusion about the severity of the bug, with it initially reported that all versions of Spring Core with the JDK version greater than or equal to 9.0 were vulnerable. However, researchers subsequently determined that it appears Spring Core
must be configured in a certain way to be vulnerable. Spring confirmed in its CVE report that certain prerequisites were required for the bug to be exploitable. 

Environment

Broadcom is actively looking into this issue at this time to determine products affected and if any, what mitigation steps will be required.

DX Netops Spectrum 21.2.8 ships version 5.3.15.

DX Netops Spectrum 21.2.6 ships version 5.3.5.

Both versions ship JDK8.

Cause

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Resolution



Spectrum uses Java 8 for all supported versions and therefore is not vulnerable to CVE-2022-22965.

Additional Information

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

  • Spring Boot - 2.6.6 (automatically fetches log4j 2.17.2 and Spring 5.3.18)