Advisories

MA-830.042022: MyCERT Advisory - Security Updates for "Spring4Shell" and Spring Cloud Function Vulnerabilities
  •   07 Apr 2022
  •   Advisory
  •   VMware, Spring Framework, Spring4Shell, CVE-2022-22963, CVE-2022-22965

1.0 Introduction

Spring by VMware has released security updates to address multiple vulnerabilities affecting its products. The vulnerabilities tracked as CVE-2022-22963 affect Spring Cloud Function and CVE-2022-22965 affect Spring Framework known as “Spring4Shell”.  According to VMware, the Spring4Shell vulnerability bypasses the patch for CVE-2010-1622, causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).

2.0 Impact
A remote attacker could exploit these vulnerabilities to take control of an affected system

3.0 Affected Products
CVE-2022-22963:
• Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions
CVE-2022-22965:
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions running on JDK version 9.0 and above

4.0 Recommendations
MyCERT encourage users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the Spring Cloud Function updates addressing CVE-2022-22963 and the Spring Framework updates addressing CVE-2022-22965. MyCERT also recommends reviewing VMWare Tanzu Vulnerability Report CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ and CERT Coordination Center (CERT/CC) Vulnerability Note VU #970766 for more information. Kindly refer to the below URL for more details:

https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
https://www.kb.cert.org/vuls/id/970766

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and
https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
https://www.kb.cert.org/vuls/id/970766

Popular Advisories
Archives