[Security Notice] Remote Code Execution Vulnerability in Spring Cloud Function (CVE-2022-22963)
Dear Customer,
Tencent Cloud Security Operations Center has noticed that Spring Cloud Function is exposed to a remote code execution vulnerability (CVE-2022-22963), which can lead to remote execution of arbitrary code and other damages. The vulnerability has been exploited in the wild on the internet with a severe impact.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability details
Spring Cloud Function is a Spring Boot-based function computing framework. It aims to promote functions as the primary unit of development. It abstracts all transfer details and infrastructure and offers a general model for deploying function-based software programs on diverse platforms.
An SpEL expression injection vulnerability exists in Spring Cloud Function, and unauthenticated attackers can construct specific data packets to inject SpEL expressions through specific HTTP request headers. This can eventually lead to the remote execution of arbitrary code and access to servers.
Risk level
High
Vulnerability risk
Attackers can exploit the vulnerability to remotely execute arbitrary code and gain access to servers.
Affected versions
Spring Cloud Function ≤ 3.1.6
Spring Cloud Function ≤ 3.2.2
Other versions that are no longer maintained
Safe versions
Spring Cloud Function ≥ 3.1.7
Spring Cloud Function ≥ 3.2.3
Suggestions for fix
You can update to the officially released safe version as needed.
Note: Back up your data before upgrading to avoid accidental losses.
Vulnerability references
https://tanzu.vmware.com/security/cve-2022-22963
[Security Notice] Remote Code Execution Vulnerability in Spring Framework (CVE-2022-22965)
Dear Customer,
Tencent Cloud Security Operations Center has noticed that Spring Framework is exposed to a remote code execution vulnerability (CVE-2022-22965), which can lead to remote write, arbitrary code execution, and other damages. The vulnerability has been exploited in the wild, with its details publicly disseminated.
To safeguard your business, we recommend you conduct a security inspection in time. If your business is affected, update it to fix the vulnerability promptly and prevent intrusions by attackers.
Vulnerability details
Spring Framework is an open-source lightweight J2EE application development framework. It provides IOC, AOP, and MVC features to solve common development problems encountered by programmers and improve the agility of application development and the efficiency of software system build.
Due to flaws in the code to repair historical vulnerabilities in Spring Framework, remote attackers can use Tomcat to construct data packets to modify log files in JDK 9 and later, thereby writing malicious files such as WebShell in any path and executing arbitrary code to control servers.
According to the official announcement, the vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. (If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, there may be other ways to exploit it.)
The following are the requirements for exploiting the vulnerability:
1. Running on JDK 9 or later
2. Apache Tomcat as the Servlet container
3. Packaged as a WAR
4. spring-webmvc or spring-webflux dependency
Risk level
High
Vulnerability risk
Attackers can easily exploit the vulnerability to write arbitrary files and remotely execute arbitrary code.
Affected versions
Spring Framework 5.3.X < 5.3.18
Spring Framework 5.2.X < 5.2.20
With JDK ≥ 9
Inspection method
Your business is affected by the vulnerability if all the following requirements are met:
1. Check the version of the JDK used.
On your business system server, run the "java -version" command to view the JDK version (for example, "java version "17.0.2"" and "java version "1.8.0_91"" indicated that the JDK version is 17 and 8 respectively). Your business is affected if the JDK version is 9 or later.
2. Determine whether Spring Framework is used, and if no, your business is not affected.
No matter whether your business system project is deployed as a WAR or JAR package, you can use the following steps to determine:
1) Decompress the WAR or JAR package: Change the extension of the WAR or JAR file to ".zip" and decompress the ZIP file.
2) Search for JAR files in "spring-beans-*.jar" format (such as "spring-beans-5.3.11.jar") in the decompressed directory, and if there is any, Spring Framework is used in your business system for development.
3) If no "spring-beans-*.jar" files exist, search for the "CachedIntrospectionResuLts.class" file in the decompressed directory, and if it exists, Spring Framework is used in your business system for development.
Safe versions
Spring Framework 5.3.18
Spring Framework 5.2.20
Spring Boot 2.6.6 and Spring Boot 2.5.12 based on Spring Framework 5.3.18
Suggestions for fix
As there may be other ways to exploit the vulnerability and aggravate its impact, we recommend you upgrade to a safe version of Spring Framework.
Workaround 1: Use WAF and other protection devices to block or check
1. Tencent Cloud WAF:
Tencent Cloud WAF has captured the attack PoC and added attack blocking rules (rule ID: 106247662 at Tencent Cloud and 106246731 at Tencent Cloud International). The detailed configurations are as follows:
1) Go to the WAF console, select "Basic security > Web security > Web security rules", and enable the blocking mode.
2) You can filter the latest rule by addition time in the console.
2. CWP (relevant rules are in beta test currently):
1) If you have purchased CWP Pro or Flagship for your server, view the JDK version by selecting "Asset fingerprint > Environment variable > Java". Your business is affected only if the version is 1.9 or later (and Spring Framework is used).
3. CFW
1) Go to the CFW console and enable the firewall for public network assets.
2) Go to "Intrusion protection", select "Virtual patch", and enable the blocking mode.
4. In the WAF and other network protection devices, filter the following characters (case-insensitive) according to the actual traffic deployment.
"class.*", "Class.*", "*.class.*", "*.Class.*", "class.module.*"
After deploying the filtering rules, perform tests to avoid affecting normal business.
Workaround 2: Temporary fixes (you can use both or either of the following methods to mitigate the vulnerability):
Method 1:
Search for the "@InitBinder" annotation globally in the application to see whether the "dataBinder.setDisallowedFields" method is called inside the method structure. If you find that the code snippet is imported, add {"class.*","Class. *","*. class.*", "*.Class.*"} to the original blocklist. (Note: If the code snippet is frequently used, you need to add the characters everywhere it is used).
Method 2:
Create the following global class under the project package of the application system and ensure that this class is loaded by Spring (we recommend you add it in the package where the Controller is located).
After adding the class, you need to recompile and repackage the project, test its features, and then release it again.
Reference code snippet:
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
We recommend you view the official workarounds at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability.
Note: Back up your data before upgrading to avoid accidental losses.
Vulnerability references
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement