Reputation: 8114
How to resolve Spring RCE vulnerability(CVE-2022-22965)?
Update
this issue is now assigned to CVE-2022-22965. Other than below nice answers, please do check Spring Framework RCE: Early Announcement as it is the most reliable and up-to-date site for this issue.
According to different source, seems we got a serious security issue when using Spring Core library.
Quoting from above link, we are in risk if:
- You use a Spring app (up to and including version 5.3.17) Your app runs on Java 9+
- You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
- You don’t use an allowlist –OR– you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
The link suggested to some solution but doesn't seems easy to implement/reliable. What should we do to fix this issue, in easiest and most reliable way?
Upvotes: 3
Views: 12353
Answers (2)
Reputation: 805
According to the Spring Framework RCE: Early Announcement, upgrading to Spring Framework 5.3.18 or 5.2.20 will fix the RCE.
If you use Spring Boot, Spring Boot 2.5.12 and Spring Boot 2.6.6 fixes the vulnerability.
If you're unable to update:
You can choose to only upgrade Tomcat. The Apache Tomcat team has released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side.
If you can't do any of the above, the RCE announcement blog post suggests a workaround: Set disallowedFields on WebDataBinder through an @ControllerAdvice:
@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}
This quick fix will not work if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting. Also, more generally, the workaround will not have an effect if you use alternate REST frameworks such as Jersey (however, it has not yet been demonstrated that such configurations are impacted).
Upvotes: 4
Reputation: 5594
Note: Spring upgrade is needed later on as vulnerability is not in Tomcat
Temporary Workaround is Upgrade tomcat to 10.0.20, 9.0.62, and 8.5.78
Upvotes: 0
Related Questions
- Fixing Open source Vulnerabilities in Java
- CVE-2022-22976 spring boot 2.7.0
- Spring boot 2.6.7 incompatibility with spring-cloud-context 3.1.1, CVE-2022-22965
- Is Spring/Spring-Security affected by CVE-2022-21449?
- Does application Spring4Shell- CVE-2022-22965 vulnerable if using spring-plugin-core : 1.2.0?
- Unable to fix a vulnerability on spring-security-oauth2-resource-server
- spring security StackOverflow Error
- spring-boot dependencies and security fixes
- spring-boot tomcat security vulnerabilities patching
- Spring Security - AuthenticatedPricipal deprecated