Spring has sprung: breaking down CVE-2022-22963 & Spring4Shell (CVE-2022-22965)

What you need to know:

  • There are two RCE vulnerabilities that are being mixed and are causing some confusion. One is CVE-2022-22963 (impacting Spring Cloud) and the other is CVE-2022-22965 (impacting Spring Framework).

  • Both bugs have active exploit code available in the wild.

  • Fastly customers can protect themselves from this vulnerability.

  • There are patches available for CVE-2022-22963 and CVE-2022-22965.

Spring’s tools are frameworks to help accelerate the development of Java applications and are widely used among Java developers. The bugs being discussed here focus on the Spring Cloud and Spring Framework packages. There has been significant confusion this week about these bugs being the same thing, but they are separate and distinct issues. Both bugs result in the ability to execute arbitrary code on a remote host serving web applications when running vulnerable versions of the software. Obviously, this level of control on a potentially public-facing infrastructure can be extremely impactful.

What’s the impact:

CVE-2022-22963:

This vulnerability is very easy to exploit and enables an attacker to pass arbitrary code to Spring Expression Language (SpEL) via a HTTP header named spring.cloud.function.routing-expression as that parameter goes unvalidated by the Cloud Function. The impact of this vulnerability is fairly high from an ease of exploitation measure but fairly low from an availability standpoint – it only impacts services that are running Spring Cloud Function <=3.1.6 (for 3.1.x) and <=3.2.2 (for 3.2.x).

CVE-2022-22965:

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Why it’s interesting:

CVE-2022-22963 is an expression language vulnerability, which leads to remote code execution (RCE) conditions. There have been a few other well-known vulnerabilities (including CVE-2017-8046) that abuse similar conditions for RCE. A recurrence of this type of bug in the same framework with the same execution capabilities should raise questions for those who use it.

CVE-2022-22965 is also a RCE vulnerability in the Spring Framework that had a proof of concept leaked ahead of CVE publication that relates to a 12-year-old vulnerability in the same code (CVE-2010-1622).

Yes, but:

CVE-2022-22963:

It affects Spring Cloud Function <=3.1.6 (for 3.1.x versions) and <=3.2.2 (for 3.2.x versions). This vulnerability is trivial to exploit by simply modifying a request header. However, it seems that the number of services using Spring Cloud Function is far fewer than Spring Framework itself, which should drastically limit the impacts seen.

CVE-2022-22965:

In order to exploit the vulnerabilities the following requirements must be met:

  • JDK 9 or higher

  • Apache Tomcat as the Servlet container

  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)

  • spring-webmvc or spring-webflux dependency

  • Spring Framework versions 5.3.0 to 5.3.17 or 5.2.0 to 5.2.19, and older versions

And even if the above conditions are met, that does not always indicate that you will have remote code execution.

Digging deeper:

CVE-2022-22963:

While investigating CVE-2022-22963, it was quickly outlined that this was exploited via a header. This exploit has been shared publicly in many locations due to its simplicity. Here is an example of the POST request for this particular vulnerability:

POST /functionRouter HTTP/1.1
host:127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
Connection: close
spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("touch /tmp/pwned")
Content-Length: 1
.

This CVE is a straightforward exploitation of being able to access functions available in Spring Cloud by manipulating the Event Routing functionality. An attacker can access functions that should not be available by including spring.cloud.function.routing-expression as an HTTP Header with a specific set of strings. This allows access to functions such as getRunTime().exec() and getByName() among others.

CVE-2022-22965:

In this bug, the Java properties associated with loading classes are improperly filtered and allow for an attacker to specify a location and template name for a class to be loaded from, as can be seen in publicly shared POCs. Specifically, the following properties are sent in an HTTP POST to construct the filename on the local filesystem:

class.module.classLoader.resources.context.parent.pipeline.first.directory
class.module.classLoader.resources.context.parent.pipeline.first.prefix
class.module.classLoader.resources.context.parent.pipeline.first.suffix
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat

Then the ​​class.module.classLoader.resources.context.parent.pipeline.first.pattern property is used to specify what template name can be passed in the next step to specify the Object that will be written to the file and executed.

The next step of the attack is for the attacker to send the template name as an HTTP Header that then includes the Java code to be executed.

In the leaked proof of concept obtained by our team, the following code was utilized to launch a shell:

Runtime.getRuntime().exec(request.getParameter("cmd"))

Successful execution appears dependent on the properties being set by the POST request, but other researchers have shared a method for testing exposure through a GET command that also contains classLoader properties.

The need to manipulate classLoader properties in order to test or exploit leaves defenders with an easy to search for string during forensic investigations. The specific values assigned to the properties can then provide further details about where to search file systems or what commands were attempted for execution.

What you should do:

With all bugs, the recommended course of remediation is removing or resolving the core of the issue through applying available patches. While CVE-2022-22965 was seen in the wild prior to available patches, as of this writing, both bugs now have available patches.

CVE-2022-22963

Details on available patches are available here.

Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. Releases that have fixed this issue include:

Spring Cloud Function
3.1.7
3.2.3

CVE-2022-22965:

Details on available patches are available here.

  • Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released

  • Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.

For this CVE, in addition to patching Spring has provided additional information on limiting impact for those that are unable to patch.

They caution adding the recommended setting disallowedFields on WebDataBinder through an @ControllerAdvice:

@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}

While this works generally, but as a centrally applied workaround fix, it may leave some loopholes. We recommend following the full instructions on Spring’s blog.

Additionally, Fastly customers can deploy mitigations for these vulnerabilities through our WAF products.

CVE-2022-22963

The Fastly Next-Gen WAF (powered by Signal Sciences) can detect this vulnerability. If you are a customer with this product, you can follow the steps below to enable a templated rule to protect yourself from exploitation of CVE-2022-22963.

  • Navigate to the Templated Rules and locate CVE-2022-22963

  • Click configure and enable Block requests from an IP immediately if the CVE-2022-22963 signal is observed.

For Fastly WAF we can deploy VCL-based mitigations to this threat for our Legacy WAF customers. If you would like assistance in applying this configuration, please contact our CSOC at securitysupport@fastly.com.

CVE-2022-22965:

The Fastly Next-Gen WAF (powered by Signal Sciences) can detect this vulnerability. If you are a customer with this product, you can follow the steps below to enable a templated rule to protect yourself from exploitation of CVE-2022-22965.

  • Navigate to the Templated Rules and locate CVE-2022-22965

  • Click configure and enable Block requests from an IP immediately if the CVE-2022-22965 signal is observed.

For Fastly WAF we can deploy VCL-based mitigations to this threat for our Legacy WAF customers. If you would like assistance in applying this configuration, please contact our CSOC at securitysupport@fastly.com.

Further reading:

Published
Want to continue the conversation?
Schedule time with an expert
Share this post

The Fastly Security Research Team focuses on ensuring our customers have the tools and data available to them to keep their systems secure. They analyze and ultimately help prevent attacks at Fastly scale. The team is a group of behind-the-scenes security experts who are here to help you stay on the cutting edge of the ever-evolving security landscape.


Meet the team:



  • Mike Benjamin, Vice President Security Research

  • Simran Khalsa, Senior Security Researcher

  • Arun Kumar, Senior Security Researcher

  • Kelly Shortridge, Senior Principal, Product Technology

  • Xavier Stevens, Staff Security Researcher