Reputation: 23
Is Spring/Spring-Security affected by CVE-2022-21449?
is there any scenario where CVE-2022-21449 could lead to an hack/abuse ?
I showed at the github repo of spring security and java.security is widely used, but i do not know how the usage in the library could lead to a security flaw.
Upvotes: 1
Views: 799
Answers (1)
Reputation: 718708
This is not a vulnerability in Spring / Spring Security per se. The vulnerability is in the JVM itself. Specifically, it is in signature checking for ECDSA (Elliptic Curve Digital Signature Algorithm) signatures.
In order for this to be a problem in a Spring based application, the application needs to rely on ECDSA verification for some aspect of its security. A common use of signature verification is when your application fetches code from an untrusted 3rd party, and runs it in a security sandbox. An attacker could inject a JAR with a faked signature.
Another possibility is if either your application or Spring itself is using ECDSA signatures itself for some purpose.
But you could say that this is moot. If you just upgrade the Java installation that your Spring applications are using, you don't need to dig more deeply to see if they were (indirectly) vulnerable.
Upvotes: 4
Related Questions
- Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring (CVE-2022-22965 and CVE-2022-22963)
- CVE-2022-22976 spring boot 2.7.0
- Spring boot 2.6.7 incompatibility with spring-cloud-context 3.1.1, CVE-2022-22965
- How to resolve Spring RCE vulnerability(CVE-2022-22965)?
- Does application Spring4Shell- CVE-2022-22965 vulnerable if using spring-plugin-core : 1.2.0?
- spring-boot dependencies and security fixes
- Spring web security: is @EnableWebSecurity obsolete?
- spring-boot tomcat security vulnerabilities patching
- Are Spring Framework Security Vulnerabilities CVEs applicable to Grails
- Is Spring - SpEL vulnerable?