Last night, news broke that the Java Spring framework may release an update fixing a significant security vulnerability. The project added a patch to the Spring framework GitHub repository that appears to fix a deserialization vulnerability [1]. A blog post published around that time includes some additional details [2]. However, the comment by Sam Brannon released with the git commit (scroll down to the end of the page for [1]) does explain the patch:
Do not confuse this vulnerability with CVE-2022-22963 (I have already seen some posts mixing up the two). CVE-2022-22963 is a vulnerability in Spring Cloud Function, not in the spring framework. It was patched yesterday and appeared already to be probed based on our honeypot. For example, we do see requests like this:
[1] https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529#diff-6c2618839eda075efe4491842d3673eab8fe1e342f6d9ddc2bbda8556e595864L153 --- |
Johannes 4511 Posts ISC Handler Mar 30th 2022 |
Thread locked Subscribe |
Mar 30th 2022 3 months ago |
The headline makes it seem like "nothing to see here" rather than there are actually two different vulnerabilities, one of which IS in the Spring framework. Also, the text "Do not confuse this vulnerability with CVE-2022-22963" could be rewritten to include the other CVE so you could easily refer to both.
|
Anonymous |
Quote |
Mar 30th 2022 3 months ago |
Do you know the CVSS?
|
Perfect 1 Posts |
Quote |
Mar 30th 2022 3 months ago |
Sign Up for Free or Log In to start participating in the conversation!