Recent updates to this article
| Date |
Update |
| April 18, 2022 |
Added that the latest ENS AMCore content has detection for all known samples. |
| April 7, 2022 |
Added the related Security Bulletin link. |
| April 4, 2022 |
Added CVE-2022-22947 and updated the title. |
| March 31, 2022 |
Added Network Security Platform (NSP) User-Defined Signatures (UDS) and new CVE IDs CVE-2022-22965 and CVE-2022-22950. |
| March 30, 2022 |
Initial publication. |
We're actively tracking four distinct vulnerabilities in several components of Spring. Spring is a Java framework that VMware owns. There has been confusion around these Spring vulnerabilities. We can confirm that we're tracking four vulnerabilities associated with Spring, which are unique vulnerabilities.
- VMware recently released the first vulnerability, CVE-2022-22963: Spring Expression Resource Access Vulnerability. This vulnerability is within the Spring Cloud component. This vulnerability is considered Medium, with a CVSS(3.0) score of 5.4. The exploit code appears to be an unauthenticated remote code execution (RCE). If confirmed, we expect the current CVSS score of 5.4 to be adjusted.
- The second vulnerability, updated as CVE-2022-22965, was first seen via exploit code leaked on Twitter. From the leaked exploit code, this issue appears to be due a failed, or partially failed, patch for a bug from a decade ago (CVE-2010-1622.) It's an unauthenticated RCE in the Spring Beans component. We verified that the leaked exploit code works in reproduction.
- The third vulnerability, CVE-2022-22950: Spring Expression DoS Vulnerability, is within Spring Framework and might cause a denial-of-service (DOS) condition.
- The fourth vulnerability, CVE-2022-22947: Spring Cloud Gateway Code Injection, is within Spring Cloud Gateway when the Gateway Actuator endpoint is enabled, exposed, and unsecured. This issue can lead to RCE on the remote host.
It's recommended that customers patch according to the vendor's guidance.
Owing to the severity of these vulnerabilities, we've created this article to provide communication on actions that customers can take to mitigate risk in their environment.
We're actively monitoring these vulnerabilities and researching ways to use our solutions to protect against them.
We're also reviewing all our solutions for any potential impact. See
SB10380 - REGISTERED - Security Bulletin - Product status for Spring vulnerabilities (CVE-2022-22947, CVE-2022-22963, CVE-2022-22965).
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.
Subscribe to this article to receive updates pertaining to related coverage and countermeasures.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
For further information, see the following articles:
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
CVE-2022-22950: Spring Expression DoS Vulnerability
CVE-2022-22963: RCE in Spring Cloud Function by malicious Spring Expression
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
