CVE-2022-22965 Spring Core Remote Code – Executive Summary
The Spring Framework, used for building enterprise Java applications, recently had two vulnerabilities announced. The first vulnerability, CVE-2022-22963, was patched on March 29, 2022 with the release of Spring Cloud Function 3.1.7 and 3.2.3. The second, more severe vulnerability, CVE-2022-22965, was patched on March 31, 2022 with the release of Spring Framework versions 5.3.18 and 5.2.20. Exploitation of CVE-2022-22965 could result in an attacker executing remote code and installing a webshell on the compromised server.
CVE-2022-22965 Spring MVC/WebFlux Data Binding Remote Code Execution
This vulnerability affecting Java’s spring framework was reported in March 2022. The latest versions in its default configuration are not vulnerable. However, there are non-conventional deployments, which have led to malware propagation*.
This vulnerability stems from a flaw in the getCachedIntrospectionResults method of the Spring framework. The Spring framework allows binding incoming HTTP requests to Objects, which would have more meaningful representation based on the applications’ nature. A Spring-based web application allows the user of the web page to interact with these objects, but in doing so, the aforementioned method exposes class methods that can be invoked by an attacker to control the remote web server.
As seen in the Apache Tomcat deployments, where the exposed class method permitted modifying the logging behavior in Tomcat to have write access to the webserver. This condition permits an attacker to upload webshells onto the target server.
Spring versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 are vulnerable. In addition to this, for a successful attack, JDK9 or higher and deployment as a WAR format in Apache Tomcat servlet container are prerequisites. With several pre-conditions to be met for a successful attack, the CVE is still critical and has been used in malware campaigns. Upgrading to the latest Spring framework released by Spring developers will prevent attackers from attempting to take advantage of this vulnerability.
Vehere Network Detection and Response: Protection Against Threat’s Past and Present
Vehere’s research wing, Dawn Treader, actively researches new vulnerabilities and malware outbreaks in order to improve the detection efficacy of its NDR solution. Vehere NDR’s Rule Engine is constantly updated to detect threats like the one discussed in this blog.
In addition to a comprehensive Rule Set that guides the Rule Engine in detecting attacks and behavior anomalies, the NDR’s ML engines are trained to detect behavioral anomalies in customer networks. This, combined with a comprehensive set of NDR enhancements to detect lateral movement activity in a network, enables customers to get a holistic view of any violation of their computing assets and deter the progress of the attack.