The CVE-2022-22965 zero day vulnerability affecting the Spring java framework was quickly fixed. VMware has for its part warned this weekend that three Tanzu products affected by this flaw must be updated.
It didn’t take long for the Spring4shell flaw to be closed. Identified as CVE-2022-22965, this vulnerability – for which an exploit PoC was published on March 30, 2022 by a Chinese security researcher – has had a patch since last Friday. It concerns the Spring framework implementing the model-view-controller (MVC) architecture for developing web applications as well as WebFlux running on JDK 9 or more. “If the application is deployed as an executable jar file in a Spring Boot package, which is the default, it is not vulnerable to the exploit,” Spring said, however.
The “requisites” to be fallible to a possible exploit related to this vuln are the following: running a Spring MVC or WebFlux environment on JDK 9 at least, using Apache Tomcat as a servlet container, using WAR compressed packages (Web application Archive), spring-webmvc or spring-webflux dependencies and deployment of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and earlier. To protect against Spring4shell, it is therefore recommended to migrate to Spring Framework versions 5.3.18 or 5.2.20 including the patches. Do not forget to also install versions 2.6.6 or 2.5.12 of Spring Boot as well as versions 10.0.20, 9.0.62 and 8.5.78 of Apache Tomcat.
Critical security flaws in 3 VMware Tanzu products
In the wake of these Spring updates, VMware also released critical security patches (CVSS 9.8) to several Tanzu services on Saturday. These are Application Service for VMs, Operations Manager, and Kubernetes Grid Integrated Edition (TKGI). “A malicious actor with network access to an impacted VMware product can exploit this issue to gain full control of the target system,” the publisher warned.
The days to come, however, could be complicated. “The nature of the vulnerability is more general and there may be other ways to exploit it,” Spring warned. This is also the opinion of Ilkka Turunen, technical director of Sonatype: “this type of vulnerability tends to mutate over time as researchers explore other avenues of exploitation […] In Log4j we found four more CVEs related to the original issue and we expect it to happen here”. Caution and vigilance are therefore required for companies – and there are many of them – with Spring Framework including its MVC, Boot and WebFlux components.