Share this article on:
Two remote code execution vulnerabilities have been identified in the Spring Platform – a popular application framework that software developers use to quickly build Java applications. Proof of concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is actively exploited.
The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions and is remotely exploitable in the default configuration when running a Spring Boot application that depends on Spring Cloud Function, such as when you depend on packages such as spring-cloud-function-web and spring-cloud-starter-function-web.
According to VMWare, owner of Spring, when using the routing feature, it is possible for a user to provide a specially crafted SpEL as a routing expression, which will enable remote code execution and access to local resources. The vulnerability initially received a CVSS severity score of 5.4, but was later upgraded to critical. The proof-of-concept exploits for the vulnerability are in the public domain.
The vulnerability has been patched by VNWare in Spring Cloud Function versions 3.1.7 and 3.2.3. An immediate upgrade to a secure version is recommended to prevent exploitation.
A proof-of-concept exploit has been publicly released for another zero-day vulnerability that affects the Spring Core Java framework. The vulnerability, dubbed Spring4Shell, allows unauthenticated people to remotely execute code on applications.
The vulnerability – identified as CVE-2022-22965 – is due to insecure deserialization of passed arguments and affects Spring MVC and Spring WebFlux applications on JDK 9 or higher. An exploit for the vulnerability is in the public domain, but will not work if an application is deployed as a Spring Boot executable jar, which is the default. The exploit will only work if the application is running on Tomcat as a WAR deployment with a spring-webmvc or “spring-webflux” dependency; however, there may be other ways to exploit the vulnerability.
The vulnerability is not as severe as the Log4J/Log4Shell vulnerability, but Spring is popular and widely used to build applications.
The vulnerability has been fixed in the following versions:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.5.12
- Spring Boot 2.6.6
CISA Warns of Uninterruptible Power Supply Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) have issued a warning that cyber threats are exploiting vulnerabilities in internet-connected uninterruptible power supplies (UPSs) to gain access to networks.
UPSs are regularly connected to networks for power monitoring, maintenance and convenience, and are used to provide clean, backup power to IT equipment and applications. Many inverter vendors have added IoT functionality to devices to allow them to be accessed over the internet.
CISA and the DoE are aware of malicious actors using these devices to gain access to networks, most often using unchanged default usernames and passwords to gain access to the devices.
All users of such devices have been advised to immediately list their inverters and similar systems and ensure that they are not accessible via the Internet or, if Internet access is required, to ensure that the device or the system is behind a virtual private network. Default credentials should be changed, long passwords or passphrases used to secure devices, and multi-factor authentication should be enforced