CVE-2022-22965:CVE-2022-22965 is a remote code execution vulnerability in Spring Framework (Spring MVC/WebFlux) when running on JDK 9+ and deployed as a WAR on Tomcat; Spring Boot executable jars are not vulnerable by default.

splash
Back

Description Preview

The vulnerability stems from data binding in Spring MVC or Spring WebFlux applications that run on JDK 9 or newer and are deployed as a WAR on Tomcat. If exploited, it can lead to remote code execution (RCE). The issue is categorized as CWE-94: Improper Control of Generation of Code. Affected versions include Spring Framework 5.3.x before 5.3.18+, 5.2.x before 5.2.20+, and all older and unsupported versions. Deployments as Spring Boot executable jars are not vulnerable to this exploit by default, though other vectors may still exist. Remedies involve upgrading to patched releases or applying vendor-provided mitigations.

Overview

This CVE affects Spring Framework deployments that use Spring MVC or Spring WebFlux on JDK 9+ when packaged as a WAR and deployed on Tomcat, enabling potential remote code execution through data binding. The vulnerability is mitigated for Spring Boot executable jars by default, but remains a concern for non-boot deployments. The weakness is classified under CWE-94 (Code Injection). Patches are available in newer releases (5.3.18+ and 5.2.20+), and multiple vendor advisories document mitigation and remediation strategies.

Remediation

  • Upgrade to a fixed Spring Framework version: 5.3.18+ or 5.2.20+ (or newer) and redeploy the application WARs on Tomcat.
  • If you must delay upgrade, apply vendor-provided mitigations from advisories (consult Oracle, Cisco, SonicWall, Siemens, etc.) and implement compensating controls as recommended by the vendor.
  • For Maven/Gradle projects, update the Spring Framework dependency in your pom.xml/build.gradle, rebuild, and redeploy the WAR to Tomcat.
  • Verify packaging: Spring Boot executable jars are not affected by the default exploit; ensure your deployment type aligns with patched guidance and monitor for any related CVEs affecting other components.
  • Perform testing after patching: functional validation and security testing to confirm the RCE path is mitigated.
  • Review transitive dependencies to ensure no downgraded or vulnerable Spring Framework versions are introduced.

References

  • https://tanzu.vmware.com/security/cve-2022-22965
  • 20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022 — https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
  • https://www.oracle.com/security-alerts/cpuapr2022.html
  • https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
  • http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
  • https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
  • https://www.oracle.com/security-alerts/cpujul2022.html
  • http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html

Early Warning

Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.

Armis Alert Date
Apr 1, 2022
CISA KEV Date
Apr 4, 2022
3days early

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Public Administration: Medium
    Public Administration
  3. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  4. Transportation & Warehousing: Medium
    Transportation & Warehousing
  5. Finance and Insurance: Low
    Finance and Insurance
  6. Retail Trade: Low
    Retail Trade
  7. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  8. Educational Services: Low
    Educational Services
  9. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  10. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  11. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  12. Utilities: Low
    Utilities
  13. Accommodation & Food Services: Low
    Accommodation & Food Services
  14. Construction: Low
    Construction
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  17. Information: Low
    Information
  18. Mining: Low
    Mining
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background