A zero-day remote code execution (RCE) vulnerability has been identified in the Spring framework. VMware Spring is a open-source Java toolkit for building powerful Java apps, including cloud-based apps. Part of the Spring ecosystem is a set of components called Spring Cloud by which you can hook Spring code straight into well-known cloud services.
Description
The unpatched flaw impacts Spring Core on Java Development Kit (JDK) versions 9 and later and has been identified as a potential bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.
Proof-of-concept (PoC) code is already readily available on the internet showing how to inject unauthorised Java code into inbound Spring Cloud Function requests, and how to use that code to run an unwanted program.
Who is Affected?
At this time it’s unclear which real-world applications use the vulnerable functionality, Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation. However the following products have been identified as being affected so far:
Spring Framework
-
5.3.0 to 5.3.17
-
5.2.0 to 5.2.19
Older, unsupported versions are also affected.
Mitigation
Users of affected versions should apply the following:
-
5.3.x users should upgrade to 5.3.18+
-
5.2.x users should upgrade to 5.2.20+
If you are NOT able to upgrade to the above frameworks, then the following general workaround has been released.
Reports recommend setting disallowedFieldson WebDataBinder through an @ControllerAdvice:
@ControllerAdvice @Order(Ordered.LOWEST_PRECEDENCE) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; dataBinder.setDisallowedFields(denylist); } }
Additional workarounds are published in the ‘spring-framework-rce-early-announcement’ blog referenced below.
References
-
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
-
https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function
-
https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/
![](https://www.covertswarm.com/wp-content/uploads/2024/06/2024-Academy-Intake-3-640x320.png)
Academy Launches Second Intake
CovertSwarm’s Academy is opening the 2024 intake. Apply and start your cybersecurity journey as an ethical hacker.
![DORA & NIS2 European Flag](https://www.covertswarm.com/wp-content/uploads/2024/05/DORA-and-NIS2-European-Flag-640x320.png)
Combining regulation with real-world security assurance: DORA and NIS2
Whether you’re a local financial startup or a multinational food distributor, understanding how DORA and NIS2 may affect your organization is vital. With implementation dates just…
![](https://www.covertswarm.com/wp-content/uploads/2024/05/Clutch-100-fastest-growth-640x320.png)
CovertSwarm named by Clutch among Top 100 Fastest-Growing Companies
Clutch has recognized us for achieving one of the highest revenue growth rates from 2022 to 2023.