Security Advisory: Vulnerabilities Reported in Spring Framework for Java
Catalyst IT has become aware of two significant vulnerabilities that are currently present in the Spring Framework and related operating environments. Spring is an open source Java platform application development framework that is currently utilised by a great proportion of developers in the open source space.
Vulnerability in Spring Cloud Function
Reported on Wednesday 29th March, a new vulnerability in Spring Cloud Function was discovered that has the potential to lead to remote code execution (RCE) which would enable an attacker to execute code on target machines from a remote location and compromise the host. A security advisory has been issued by VMWare and is being tracked as CVE-2022-22963. This vulnerability affects the Spring Cloud Function library only and should not be confused with the Spring Core library. The current mitigations for this vulnerability are to upgrade your Spring Cloud Function Library to version 3.1.+ or 3.2.3+ to prevent potential RCE attacks.
Vulnerability in Spring Framework Core
Additionally, there has been a second vulnerability reported on Thursday 31st March by VMWare as CVE-2022-22965, that is a high level risk to Spring Framework. The vulnerability affects Spring MVC and Spring WebFlux applications running on JDK9+. This specific exploit requires the application to be run on Tomcat as a WAR deployment. However, if the the application is deployed as a Spring Boot executable jar, it is not vulnerable to the exploit. It is important to note, though, that this vulnerability is more general in nature, and further exploitations may be discovered as the investigation into the full ramifications of this vulnerability continues. There are currently fixes contained within Spring Framework 5.3.18 and 5.2.20 that have now been released. Additionally, Spring Boot 2.6.6 and 2.5.12 that are dependant on Spring Framework 5.3.18 have also been released.
Catalyst IT Recommendations
Catalyst IT recommend completing the above upgrades to Spring Framework as soon as possible to avoid potential exploits from impacting your system. If you are concerned about whether this impacts your system or have further questions regarding these vulnerabilities please contact your Catalyst IT Account Manager.
Further Information
Please refer to this Security Alert by the Australian Cyber Security Centre (ACSC) for further information.