Spring Vulnerabilities

Overview: Vulnerabilities affecting application framework Spring have been identified on March 29th, 2022. The most relevant involves Spring4Shell affecting Spring Core (CVE-2022-22965) and Spring Cloud Function (CVE-2022-22963), involving remote code execution. A third deserialization vulnerability has also been identified however currently lacks detail. The known vulnerabilities are listed below along with applicable detection content.Vulnerabilities

 
• CVE-2022-22965/Spring4Shell: Remote code execution vulnerability impacting Spring Core versions 5.3.17 and older. The vulnerability as detailed by Spring "impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit."  Requirements needed to exploit the vulnerability that includes:

 
• JDK 9 or higher
 
• Apache Tomcat as the Servlet container
 
• Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
 
• spring-webmvc or spring-webflux dependency
 
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions