CVE-2022-22965:
CVE-2022-22965 is a remote code execution vulnerability in Spring Framework (Spring MVC/WebFlux) when running on JDK 9+ and deployed as a WAR on Tomcat; Spring Boot executable jars are not vulnerable by default.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 1, 2022
- CISA KEV Date:Apr 4, 2022
- Industries Affected:20
3 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2022-22965 is a remote code execution vulnerability in Spring Framework (Spring MVC/WebFlux) when running on JDK 9+ and deployed as a WAR on Tomcat; Spring Boot executable jars are not vulnerable by default.
Overview
This CVE affects Spring Framework deployments that use Spring MVC or Spring WebFlux on JDK 9+ when packaged as a WAR and deployed on Tomcat, enabling potential remote code execution through data binding. The vulnerability is mitigated for Spring Boot executable jars by default, but remains a concern for non-boot deployments. The weakness is classified under CWE-94 (Code Injection). Patches are available in newer releases (5.3.18+ and 5.2.20+), and multiple vendor advisories document mitigation and remediation strategies.
Remediation
- Upgrade to a fixed Spring Framework version: 5.3.18+ or 5.2.20+ (or newer) and redeploy the application WARs on Tomcat.
- If you must delay upgrade, apply vendor-provided mitigations from advisories (consult Oracle, Cisco, SonicWall, Siemens, etc.) and implement compensating controls as recommended by the vendor.
- For Maven/Gradle projects, update the Spring Framework dependency in your pom.xml/build.gradle, rebuild, and redeploy the WAR to Tomcat.
- Verify packaging: Spring Boot executable jars are not affected by the default exploit; ensure your deployment type aligns with patched guidance and monitor for any related CVEs affecting other components.
- Perform testing after patching: functional validation and security testing to confirm the RCE path is mitigated.
- Review transitive dependencies to ensure no downgraded or vulnerable Spring Framework versions are introduced.
References
- - https://tanzu.vmware.com/security/cve-2022-22965
- - 20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022 — https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
- - https://www.oracle.com/security-alerts/cpuapr2022.html
- - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- - http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
- - https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- - https://www.oracle.com/security-alerts/cpujul2022.html
- - http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 1, 2022
- CISA KEV Date:Apr 4, 2022
- Days Early:3 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
