QID 376514

Date Published: 2022-04-06

QID 376514: Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility

The vulnerability exists in the Spring Framework with the JDK version greater or equal to 9.0. (If the version number is less than or equal to 8, it is not affected by the vulnerability.)
Triggering this vulnerability requires use of the Spring MVC and Spring WebFlux applications running on JDK9 and above.

Vulnerable Versions:
Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older are vulnerable.

QID Detection: (Authenticated) - Windows
This QID reads the file generated by Qualys utility Qualys Spring4scanwin Scan Utility for Windows
The QID reads 1st 100000 characters from the generated output file.

QID Detection: (Authenticated) - Linux
This QID reads the file generated by Qualys utility Qualys Spring4scanlinuxScan Utility for Linux to find vulnerable instances of Spring4Shell.

A remote attacker can obtain the AccessLogValve object and malicious field values via the parameter binding function of the framework on the basis of meeting certain conditions

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as High - 7.5 severity.

Solution

The vendor has released an advisory to resolve these issues.

Customers are advised to visit Spring Framework RCE for more information on this.

Vendor References

Spring Core Spring Beans Remote Code Warning Notice - www.springcloud.io/post/2022-03/spring-0day-vulnerability

CVEs related to QID 376514

CVE-2022-22965 |

Software Advisories

Advisory ID	Software	Component	Link
Spring			spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].