Spring Framework - CVE vulnerabilities

Created by James Hurrell, last modified on Apr 08, 2022

This page will be updated over the coming days as and when new information is available.

Introduction

Two Remote Code Execution vulnerabilities (RCE) have been found recently in Spring Framework (the java based application framework):

See also:

CVE-2022-22963

In summary, any java application that uses the following is potentially vulnerable to this CVE:

  • Spring Cloud Function versions:
    • 3.1.6
    • 3.2.2
    • Older, unsupported versions are also affected

Spring have fixed this vulnerability in the following releases:

  • Spring Cloud Function 3.1.7 and 3.2.3

CVE-2022-22965

In summary, any java application that uses the following combination of items is potentially vulnerable to this CVE:

  • Java JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions
    • 5.3.0 to 5.3.17
    • 5.2.0 to 5.2.19
    • Older, unsupported versions are also affected

Spring have fixed this vulnerability in the following releases:

  • Spring Framework 5.3.18 and 5.2.20
  • Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18

What information does this page provide?

CAST makes use of Spring Framework / Spring Boot / Spring Cloud Function in various products, therefore this page explains:

  • which products are affected by these vulnerabilities
  • how CAST plans to mitigate the threat

Which CAST products are affected?

ProductCVE-2022-22963CVE-2022-22965
CAST Dashboards (standalone and embedded via the integrated RestAPI)

Not affected (Spring Cloud is used in 2.x, however, the Spring Cloud Function itself is not used).

All releases (when deployed on Apache Tomcat via a WAR file AND with Java 9 or above).

AIP CoreNot affected.Not affected.
CAST ImagingNot affected.Not affected.
AIP Console/AIP Node

Not affected (Spring Cloud is used in 2.x, however, the Spring Cloud Function itself is not used).

Not affected (impacted Spring Framework JARs are used in all releases, however, they are not deployed via a traditional WAR).

CAST official extensionsNot affected.Not affected.

How does CAST plan to mitigate the threat?

CAST will release updates to affected products in the coming days - these updates will contain Spring Framework 5.3.18 / 5.2.20 and/or Spring Boot 2.6.6 / 2.5.12 which fix the vulnerabilities. Only the most recent releases of each affected product will be patched, therefore this necessarily means upgrading to the newest release to receive the patch (CAST highly recommends this in all situations where possible).

Affected ProductRelease containing fixes for CVE-2022-22965Detail of fixes provided
CAST Dashboards (standalone)

2.6.1-funcrel

Released 08 April 2022.

  • Spring Framework upgraded to 5.3.18
  • Spring Boot upgraded to 2.5.12

1.28.7-funcrel

Released 08 April 2022.

  • Spring Framework upgraded to 5.3.18
  • Spring Boot is not used.

What you can do to prevent the vulnerability from being exploited?

If you are waiting for a patch from CAST for an impacted product, or you cannot upgrade to the CAST product release containing Spring Framework 5.3.18 / 5.2.20  Spring Boot 2.6.6 / 2.5.12, you can perform the action listed below to mitigate the vulnerability.

Upgrade Apache Tomcat to mitigate CVE-2022-22965

Apache has released updates to Apache Tomcat which mitigate the threat posed by CVE-2022-22965 as discussed in https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative. The CVE is not present in Apache Tomcat, however, the new releases include a change to disable the WebappClassLoaderBase.getResources() method which prevents CVE-2022-22965 from being exploited.

Therefore, CAST highly recommends upgrading your deployed Apache Tomcat to the following releases (supported by CAST for deployment of CAST Dashboards/RestAPI) wherever possible: