Full Report
Learn how to address Spring4Shell and CVE-2022-22963 RCE vulnerabilities in cloud environments.
Analysis Summary
# Vulnerability: Spring Framework RCE (Spring4Shell) and Spring Cloud Function RCE
## CVE Details
- CVE ID: CVE-2022-22965, CVE-2022-22963
- CVSS Score: Unknown for both (CVE-2022-22963 was initially Medium, later updated to Critical)
- CWE: Not explicitly listed, but CVE-2022-22965 relates to RCE via Data Binding, and CVE-2022-22963 relates to RCE via Malicious SpEL Expression.
## Affected Systems
### CVE-2022-22965 (Spring4Shell)
- **Products:** Applications using Spring Framework.
- **Versions:** Spring Framework versions earlier than 5.2.19, and versions 5.3.0 to 5.3.17.
- **Configurations:**
- Must be using JDK version 9 or higher.
- Application dependencies must include `spring-webmvc` or `spring-webflux`.
- Applications must use data binding with particular parameter types.
- Exploitation currently known requires applications packaged as WAR files served by Apache Tomcat, GlassFish, or Payara.
### CVE-2022-22963 (Spring Cloud Function RCE)
- **Products:** Applications using Spring Cloud Function (SCF).
- **Versions:** SCF versions earlier than 3.1.6, and versions 3.2.0 to 3.2.2.
- **Configurations:** Only exploitable in applications using routing functionality.
## Vulnerability Description
Two distinct Remote Code Execution (RCE) vulnerabilities were patched in Spring Java libraries. Both allow an attacker to execute arbitrary code remotely via specially crafted HTTP POST requests, provided the vulnerable application is exposed on an open HTTP port.
**CVE-2022-22965 (Spring4Shell):** This vulnerability is rooted in `spring-beans` but is triggerable via `spring-webmvc` or `spring-webflux`. The flaw acts as a bypass for an older vulnerability (related to CVE-2010-1622). Exploitation relies heavily on specific operational contexts, such as JDK version, specific dependencies, and deployment environment (e.g., running in a WAR file on Tomcat).
**CVE-2022-22963:** This flaw allows RCE in Spring Cloud Function via a malicious Spring Expression Language (SpEL) Expression, specifically targeting applications using routing functionality.
## Exploitation
### CVE-2022-22965 (Spring4Shell)
- **Status:** PoC available (for testing); no reports of exploitation in the wild at the time of summary, though prevalence is high (approx. 63% of cloud environments have affected, though not necessarily exploitable, assets).
- **Complexity:** Medium (due to necessary combination of prerequisites: JDK 9+, specific dependencies, deployment configuration).
- **Attack Vector:** Network
### CVE-2022-22963 (Spring Cloud Function RCE)
- **Status:** PoC available; multiple proof-of-concept exploits published online.
- **Complexity:** Low (exploitation is simple, but limited only to applications using routing functionality).
- **Attack Vector:** Network
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2022-22965 | High | High | High |
| CVE-2022-22963 | High | High | High |
## Remediation
### Patches
**CVE-2022-22965 (Spring Framework):**
- Update to Spring Framework version **5.3.18** or **5.2.20**.
**CVE-2022-22963 (Spring Cloud Function):**
- Update to Spring Cloud Function version **3.1.7** or **3.2.3**.
*Note: End-users must wait for maintainers of third-party applications to integrate these dependency updates.*
### Workarounds
**CVE-2022-22965 (Spring4Shell):**
- Refer to multiple workarounds suggested by Spring (link provided in source documentation).
## Detection
- Scan cloud workloads for vulnerable versions of Spring Framework (earlier than 5.2.19 and 5.3.0-5.3.17) and Spring Cloud Function (earlier than 3.1.6 and 3.2.0-3.2.2).
- Prioritize resources with open HTTP ports.
- For CVE-2022-22963, focus detection on applications using routing functionality.
- Security tools (like Wiz) have pre-built Controls to identify affected assets and map out potential privilege escalation paths.
## References
- Vendor advisory: hxxps://tanzu.vmware.com/security/cve-2022-22965
- Vendor advisory: hxxps://tanzu.vmware.com/security/cve-2022-22963
- Spring Announcement: hxxps://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- Praetorian analysis (CVE-2022-22965): hxxps://www.praetorian.com/blog/spring-core-jdk9-rce/