Active exploitation of RCE in Java’s Spring Framework

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:25pm, 1 April 2022

TLP Rating: Clear

Active exploitation of RCE in Java’s Spring Framework

Updated: 2:30pm, 1 April 2021 to provide the latest information on version upgrades and new vulnerability information

There are two critical RCE vulnerabilities in Java’s Spring Framework.

  • A new critical Remote Code Execution (RCE) vulnerability (CVE-2022-22963) was discovered in Java’s Spring Cloud Functions. There are patches available for this vulnerability which should be applied to affected systems as soon as possible.
  • A vulnerability (CVE-2022-22965) in Spring Core that could lead to unauthenticated RCE, has also been discovered. It has been titled by some researchers as “Spring4Shell” or “SpringShell”.

There are reports of proof-of-concept code and active exploitation for both vulnerabilities.

What to look for

How to tell if you're at risk

For CVE-2022-22963, you’re at risk if you are using Spring Cloud versions earlier than:

  • 3.1.7
  • 3.2.3

For CVE-2022-22965, Spring4Shell, you’re at risk if you are using Spring Core:

  • With Spring Framework version 5.3.0 to 5.3.17
  • With Spring Framework version 5.2.0 to 5.2.19
  • With older Spring Framework version

For Spring4Shell vulnerability, you’re at risk if you are using:

  • JDK9 and above
  • Spring-Beans package
  • Spring parameter binding
  • Spring parameter binding that uses non-basic parameter types, such as general POJOs

For Spring4Shell you can check if you vulnerable using the Vulnerability scanner External Link

What to do

Prevention

For CVE-2022-22963 upgrade to Spring Cloud Function version:

  • 3.1.7 (or higher)
  • 3.2.3 (or higher)

For CVE-2022-22965 upgrade to Spring Core with Framework version:

  • 3.18 (or higher)
  • 2.19 (or higher)

Mitigation

For Spring4Shell vulnerability:

More information

Monitor latest updates for further mitigation measures:

Official post from Spring: Spring Framework RCE, Early Announcement External Link

Cyber Kendra's blog post for Spring4Shell External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link