WAF mitigation for Spring Framework RCE CVE-2022-22965

April 1, 2022
ZeroDay RCE CVE-2022-22965

Contents

Try CDNetworks For Free

Most of our products have a 14 day free trial. No credit card needed.

Share This Post

Spring Framework RCE vulnerability (CVE-2022-22965) was announced on March 31,2022

Vulnerability

Spring Framework is an open source lightweight J2EE application development Framework, which provides IOC, AOP, MVC and other functions. Spring Framework can solve the common problems encountered in the development of programmers, and improve the convenience of application development and software system construction efficiency.

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit.

These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

Vulnerability Details:

  • Vulnerability level: High Risk
  • Affected version:
    Spring Framework 5.3.x < 5.3.18
    Spring Framework 5.2.x < 5.2.20
  • Security version:
    Spring Framework = 5.3.18
    Spring Framework = 5.2.20

Suggested Workarounds

 Upgrade the Spring Framework to 5.3.18, 5.2.20 or later versions

CDNetworks Deployed New Rules to Mitigate Spring Framework RCE

CDNetworks security team responded immediately to this high-risk vulnerability, and deployed the new WAF rules (9801,9802,9803) for CDNetworks’ systems and products to mitigate the Zero Day CVE on March 31.2022.

Any customer who currently is using Application Shield or Web Application Firewall will receive updates of new rules (9801,9802,9803) and enable Block Mode on CDNetworks’ portal to detect CVE-2022-22965 exploit attempts and mitigate this Zero Day CVE.

Rule ID Rule Name Attack Type Action

9803

Spring4shell_3

3rd Party Component Exploit

Block

9802

Spring4shell_2

3rd Party Component Exploit

Block

9801

Sping4shell_1

3rd Party Component Exploit

Block

 

Reference: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

More To Explore

HTTP Header Optimization
Web Performance

How CDNetworks Helps Optimize HTTP Headers

HTTP headers are key-value pairs sent in HTTP requests and responses, providing essential information about the communication between the client and server. They include details such as content type, encoding, cache control, authentication, and more,

Read More »