Maintainers of Spring Framework have released a security patch for a critical zero-day bug in Java Spring Framework. The vulnerability allows bad actors when exploited to get remote access and take control of a targeted system.
The vulnerability is tracked as CVE-2022-22965 and impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions. Users have been advised to upgrade to versions 5.3.18 or later and 5.2.20 or later.
Spring Framework, offers Java framework infrastructure support to develop web applications. In an advisory, they said, “The vulnerability impacts Spring MVC [model–view–controller] and Spring WebFlux applications running on [Java Development Kit] 9+,” Rossen Stoyanchev of Spring.io.
Stoyanchev said, “The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
While the Praetorian researchers Anthony Weems and Dallas Kaman said, “Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application.”
Spring Framework has also warned that the nature of the flaw is more general and there may be other ways to weaponize the flaw that has not come to light.
The patch follows after a Chinese-speaking researcher published a GitHub commit containing proof-of-concept (PoC) exploit code for CVE-2022-22965 on March 30, 2022, before it was taken down.
Spring.io, a subsidiary of VMware said, they first spotted the vulnerability “late on Tuesday evening, close to midnight, GMT time by codeplutos, meizjm3i of AntGroup FG Security Lab.” Praetorian, a cybersecurity firm, has been credited for reporting the flaw.