start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Select Page

Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

CVE-2022-22965 also known as Spring4Shell or SpringShell

Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.


CVE-2022-22965 found in a spring-core jar file

Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.


Open-Source Report containing specific vulnerability findings


Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.


Comment wrap
Secure DevOps | December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
Secure DevOps | December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
Secure DevOps | August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.