Security Advisory for Spring users from Ward Solutions

As featured on the Ward Solutions blog, two new zero-day vulnerabilities have been identified within Spring, an open-source framework for Java applications. Read Ward’s full advisory notice below.

• What is ‘Spring’?

  The Spring Framework is an open-source application framework that provides infrastructure support for developing Java applications. A framework is a large body of predefined code to which developers can add code to solve a problem in a specific domain.

  Vulnerability Overview

  CVE-2022-22963 (CVSS 9.8 (Unofficial) – Critical) – Remote code execution in Spring Cloud Function by malicious Spring Expression

  A Critical severity vulnerability impacting multiple versions impacts Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions was disclosed publicly on March 28th.

  In Spring 3.1.6, 3.2.2 and older version when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

  CVE-2022-22965 (CVSS – 8.1 – High) – Spring Framework RCE via Data Binding on JDK 9+ “Spring4Shell”

  A High severity vulnerability was responsibly reported to VMware on 29th March. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Spring Framework version 5.3.0 to 5.3.17 & 5.2.0 to 5.2.19 are reported as being vulnerable. Older, unsupported versions are also affected.

  It is worth noting that certain prerequisites are required to benefit from Spring4Shell. That is, the code needs to be exploitable. For the Spring4Shell vulnerability, those who use the following may be at risk:

  • Java Development Kit 9 and higher
  • Spring-Beans package
  • Spring parameter binding
  • Spring parameter binding using non-basic parameter types like POJOs

  Recommendation – Prevention

  • Apply appropriate vendor patches
  • (CVE-2022-22965) If you’re using the Spring Framework, upgrade to versions 5.3.18+ and 5.2.20+.
  • (CVE-2022-22963) If you’re using the Spring Cloud Function library, you must upgrade to 3.1.7+ or 3.2.3+ to prevent an RCE attack.
  • Ensure NGEN Firewall / IPS has appropriate signatures
  • Ensure EPP/EDR policies are set to block all types of malware from executing

  Spring has released a critical update for its system in the wake of vulnerability being discovered. Cybersecurity company Praetorian has also issued advice to technical teams to help them spot and block dangerous code.

  Recommendation – Detection

  For those hosting applications using Spring, you can detect this vulnerability by:

  • Performing vulnerability scanning on your environment, prioritizing the network perimeter
  • Monitoring and performing threat hunting activities

  For application developers you can detect this vulnerability at three different phases of the application lifecycle:

  • Build Process: Use and image scanner to analyze contents and build processes of a container in order to detect security issues, vulnerabilities, or bad practices.
  • Deployment Process: Implementing image scanning on the admission controller, it is possible to admit only the workload images that are compliant with the scanning policy to run in the cluster
  • Runtime Process: Using a Runtime detection engine tool like Falco, you can detect attacks that occur in runtime when your containers are already in production.

  If you believe you are affected or vulnerable based on the criteria above, consider shutting down a service if it is exposed to the internet, and follow our recommended prevention actions.

If you’re an Ekco customer and you’re concerned about any of the above, please contact your account manager or get in touch here.