Spring Framework Vulnerabilities Included in DerScanner Updated Search Database

DerSecur has updated the vulnerabilities search database of the DerScanner application code analyzer. The update includes several zero-day vulnerabilities found in the Spring Framework which is used in Java applications. Exploiting these bugs allows an attacker to remotely execute arbitrary code or cause a denial of service. Given how widely Spring is used, the vulnerabilities pose a potential threat to many web applications.

Spring Framework is a universal open-source framework for the Java platform. It helps developers with addressing the challenges of creating Java-based information systems. Spring Framework provides basic support for dependency management, web application transaction management, data access, messaging, etc.

Similar to the notorious Log4Shell vulnerability, one of the identified threats was named Spring4Shell. The critical vulnerability CVE-2022-22965 in the Spring Core module allows remote arbitrary code execution without authentication, so it was given a CVSS threat score of 9.8 out of 10. The bug is found in Spring MVC and Spring WebFlux applications running under the Java Development Kit (version 9+). Exploiting it can potentially compromise numerous servers. Enterprise Java applications based on Spring Framework with root permissions are the most vulnerable since their exposure can potentially compromise the whole system. Vulnerability CVE-2022-22965 was fixed in Spring Framework versions 5.3.18 and 5.2.20.

The CVE-2022-22963 vulnerability in the Spring Cloud Function library, also in the updated DerScanner search database, allows an attacker to remotely execute arbitrary code and gain access to local resources when using the routing function. The bug affects versions 3.1.6 and 3.2.2 and was fixed in 3.1.7 and 3.2.3.

Exploiting another vulnerability, CVE-2022-22950, Spring Framework versions 5.3.0–5.3.16, 5.2.0–5.2.19, can cause a denial of service. To fix the threat, it is also necessary to update Spring Framework to the latest versions.

Another vulnerability added to DerScanner’s search database concerns the Spring Cloud Gateway library. Assigned the number CVE-2022-22947, it allows an attacker to inject malicious code into an application that uses this library. To eliminate this threat, you need to update Spring Cloud Gateway to versions 3.1.1 or 3.0.7.

“The current situation is dangerous because a lot of organizations don’t have a monitoring process in place for vulnerabilities,” says Daniil Chernov, CTO at DerSecur, “Although VMware, the owner of Spring Framework, has already released patches and recommendations on how to fix the vulnerabilities, some companies are still at risk. Our research lab monitors zero-day threats, and our development team immediately updates DerScanner’s code analyzer vulnerability search database.”

About DerScanner

DerScanner is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results when compared to DAST. The analyzer can test apps written in 36 programming languages or compiled into an executable file with one of 9 extensions, including those for Google Android, Apple iOS, and Apple macOS.