On March 31, Spring officially announced a remote code execution vulnerability (CVE-2022-22965) in the Spring Framework environment running JDK 9 or higher. Attackers can exploit this vulnerability to enable arbitrary remote code execution. This vulnerability is easy to exploit. The POC/EXP of this vulnerability has been disclosed and the risk is high.
The Spring Framework is an open-source lightweight application framework developed for building complex web applications on top of the Java Enterprise Edition (EE) platform. If you are a Spring Framework user, check your system and implement timely security hardening.
Reference:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Severity: important
(Severity: low, moderate, important, and critical)
Affected versions:
Spring Framework 5.3.x < 5.3.18
Spring Framework 5.2.x < 5.2.20
Older versions may also be affected.
Secure versions:
Spring Framework 5.3.18
Spring Framework 5.3.18
Spring Framework 5.2.20
In order to exploit the vulnerability, the following requirements must be met:
Spring framework or derived frameworks run on JDK 9 or higher.
According to the vulnerability report, the requirements for the attack scenarios are as follows. However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
Currently, secure versions have been released. You are advised to upgrade Spring Framework to a secure version.
Get more professional support at any time
Contact Us
