WAF mitigation for Spring Framework RCE CVE-2022-22965

ZeroDay RCE CVE-2022-22965

Spring Framework RCE vulnerability (CVE-2022-22965) was announced on March 31,2022

Vulnerability

Spring Framework is an open source lightweight J2EE application development Framework, which provides IOC, AOP, MVC and other functions. Spring Framework can solve the common problems encountered in the development of programmers, and improve the convenience of application development and software system construction efficiency.

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit.

These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

Vulnerability Details:

  • Vulnerability level: High Risk
  • Affected version:
    Spring Framework 5.3.x < 5.3.18
    Spring Framework 5.2.x < 5.2.20
  • Security version:
    Spring Framework = 5.3.18
    Spring Framework = 5.2.20

Suggested Workarounds

 Upgrade the Spring Framework to 5.3.18, 5.2.20 or later versions

CDNetworks Deployed New Rules to Mitigate Spring Framework RCE

CDNetworks security team responded immediately to this high-risk vulnerability, and deployed the new WAF rules (9801,9802,9803) for CDNetworks’ systems and products to mitigate the Zero Day CVE on March 31.2022.

Any customer who currently is using Application Shield or Web Application Firewall will receive updates of new rules (9801,9802,9803) and enable Block Mode on CDNetworks’ portal to detect CVE-2022-22965 exploit attempts and mitigate this Zero Day CVE.

Rule ID Rule Name Attack Type Action

9803

Spring4shell_3

3rd Party Component Exploit

Block

9802

Spring4shell_2

3rd Party Component Exploit

Block

9801

Sping4shell_1

3rd Party Component Exploit

Block

 

Reference: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Share This Post

More To Explore

Media Delivery

VoD Streaming vs Live Streaming

Video, in all its forms, has become an increasingly popular way for businesses to communicate. With the democratisation of video capturing technologies and the proliferation

Read More »
Enterprise Secure Access Hero Scene

Enterprise Secure Access

Zero-Trust Access to Secure Hybrid Network