spring.io Open in urlscan Pro
2606:4700:10::6814:6f7  Public Scan

URL: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Submission: On April 25 via api from IL — Scanned from DE

Form analysis 3 forms found in the DOM

GET /search

<form id="searchheaderform" action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="✓">
  <input type="text" name="q" id="searchheaderinput" autocomplete="off" placeholder="Search for documentation, guides, and posts...">
  <input type="submit" value="" id="searchheadersubmit" data-disable-with="">
</form>

<form id="mktoForm_4723" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 419px;">
  <style type="text/css">
    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
      color: #fff;
      border: 1px solid #75ae4c;
      padding: 0.4em 1em;
      font-size: 1em;
      background-color: #99c47c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
      background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
      background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
      background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
      outline: none;
      border: 1px solid #447f19;
    }

    .mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
      background-color: #75ae4c;
      background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
      background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
      background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
      background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
    }
  </style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
      <div class="mktoOffset" style="width: 10px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="gdprconsent" id="Lblgdprconsent" class="mktoLabel mktoHasWidth" style="width: 0px;">
          <div class="mktoAsterix">*</div>
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 10px;"></div>
        <div class="mktoLogicalField mktoCheckboxList mktoHasWidth mktoRequired" style="width: 280px;"><input name="gdprconsent" id="mktoCheckbox_105599_0" type="checkbox"
            value="Yes, I would like to be contacted by The Spring Team and VMware for newsletters, promotions and events" aria-required="true" aria-labelledby="Lblgdprconsent LblmktoCheckbox_105599_0 Instructgdprconsent" class="mktoField"><label
            for="mktoCheckbox_105599_0" id="LblmktoCheckbox_105599_0">Yes, I would like to be contacted by The Spring Team and VMware for newsletters, promotions and events</label></div><span id="Instructgdprconsent" tabindex="-1"
          class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="4723"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="625-IUJ-009">
</form>

<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>

Text Content

 * Why Spring
   
 * Learn
   
 * Projects
   
 * Training
 * Support
 * Community
   
 * 

 * Overview
 * Microservices
 * Reactive
 * Event Driven
 * Cloud
 * Web Applications
 * Serverless
 * Batch

 * Overview
 * Quickstart
 * Guides
 * Blog

 * Overview
 * Spring Boot
 * Spring Framework
 * Spring Cloud
 * Spring Cloud Data Flow
 * Spring Data
 * Spring Integration
 * Spring Batch
 * Spring Security
 * View all projects
 * Development Tools
 * Spring Tools 4
 * Spring Initializr

 * Overview
 * Events
 * Team


close
Why Spring

 * Overview
 * Microservices
 * Reactive
 * Event Driven
 * Cloud
 * Web Applications
 * Serverless
 * Batch

Learn

 * Overview
 * Quickstart
 * Guides
 * Blog

Projects

 * Overview
 * Spring Boot
 * Spring Framework
 * Spring Cloud
 * Spring Cloud Data Flow
 * Spring Data
 * Spring Integration
 * Spring Batch
 * Spring Security
 * View all projects

   Development Tools

 * Spring Tools 4
 * Spring Initializr

Training
Support
Community

 * Overview
 * Events
 * Team




SPRING BLOG

 * All Posts
 * Engineering
 * Releases
 * News and Events


SPRING FRAMEWORK RCE, EARLY ANNOUNCEMENT


Engineering
Rossen Stoyanchev

March 31, 2022

255 Comments

Updates

 * [04-13] “Data Binding Rules Vulnerability CVE-2022-22968” follow-up blog post
   published, related to the “disallowedFields” from the Suggested Workarounds
 * [04-08] Snyk announces an additional attack vector for Glassfish and Payara.
   See also related Payara, upcoming release announcement
 * [04-04] Updated Am I Impacted with improved description for deployment
   requirements
 * [04-01] Updated Am I Impacted with additional notes
 * [04-01] Updated Suggested Workarounds section for Apache Tomcat upgrades and
   Java 8 downgrades
 * [04-01] “Mitigation Alternative” follow-up blog post published, announcing
   Apache Tomcat releases versions 10.0.20, 9.0.62, and 8.5.78 that close the
   attack vector on Tomcat’s side
 * [03-31] Spring Boot 2.6.6 is available
 * [03-31] Spring Boot 2.5.12 is available
 * [03-31] CVE-2022-22965 is published
 * [03-31] Added section “Misconceptions”
 * [03-31] Added section “Am I Impacted”
 * [03-31] Fix minor issue in the workaround for adding disallowedFields
 * [03-31] Spring Framework 5.3.18 and 5.2.20 are available


TABLE OF CONTENTS

 * Overview
 * Vulnerability
 * Am I Impacted
 * Status
 * Suggested Workarounds
 * Misconceptions


OVERVIEW

I would like to announce an RCE vulnerability in the Spring Framework that was
leaked out ahead of CVE publication. The issue was first reported to VMware late
on Tuesday evening, close to Midnight, GMT time by codeplutos, meizjm3i of
AntGroup FG. On Wednesday we worked through investigation, analysis, identifying
a fix, testing, while aiming for emergency releases on Thursday. In the mean
time, also on Wednesday, details were leaked in full detail online, which is why
we are providing this update ahead of the releases and the CVE report.


VULNERABILITY

The vulnerability impacts Spring MVC and Spring WebFlux applications running on
JDK 9+. The specific exploit requires the application to be packaged and
deployed as a traditional WAR on a Servlet container. If the application is
deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable
to the exploit. However, the nature of the vulnerability is more general, and
there may be other ways to exploit it.


AM I IMPACTED?

These are the requirements for the specific scenario from the report:

 * Running on JDK 9 or higher
 * Packaged as a traditional WAR and deployed on a standalone Servlet container.
   Typical Spring Boot deployments using an embedded Servlet container or
   reactive web server are not impacted.
 * spring-webmvc or spring-webflux dependency.
 * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older
   versions.

Additional notes:

 * The vulnerability involves ClassLoader access and depends on the actual
   Servlet Container in use. Tomcat 10.0.19, 9.0.61, 8.5.78, and earlier
   versions are known to be vulnerable. Payara and Glassfish are also known to
   be vulnerable. Other Servlet containers may also be vulnerable.
 * The issue relates to data binding used to populate an object from request
   parameters (either query parameters or form data). Data binding is used for
   controller method parameters that are annotated with @ModelAttribute or
   optionally without it, and without any other Spring Web annotation.
 * The issues does not relate to @RequestBody controller method parameters (e.g.
   JSON deserialization). However, such methods may still be vulnerable if they
   have another method parameter populated via data binding from query
   parameters.


STATUS

 * Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been
   released.
 * Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been
   released.
 * CVE-2022-22965 has been published.
 * Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close
   the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation
   Alternative.


SUGGESTED WORKAROUNDS

The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or
greater. If you have done this, then no workarounds are necessary. However, some
may be in a position where upgrading is not possible to do quickly. For that
reason, we have provided some workarounds below.

 * Upgrading Tomcat
 * Downgrading to Java 8
 * Disallowed Fields

Please note that, workarounds are not necessarily mutually exclusive since
security is best done “in depth”.

UPGRADING TOMCAT

For older applications, running on Tomcat with an unsupported Spring Framework
version, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78, provides
adequate protection. However, this should be seen as a tactical solution, and
the main goal should be to upgrade to a currently supported Spring Framework
version as soon as possible. If you take this approach, you should consider
setting Disallowed Fields as well for defense in depth approach.

DOWNGRADING TO JAVA 8

Downgrading to Java 8 is a viable workaround, if you can neither upgrade the
Spring Framework nor upgrade Apache Tomcat.

DISALLOWED FIELDS

Another viable workaround is to disable binding to particular fields by setting
disallowedFieldson WebDataBinder globally:


@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
         dataBinder.setDisallowedFields(denylist);
    }

}Copy

This works generally, but as a centrally applied workaround fix, may leave some
loopholes, in particular if a controller sets disallowedFields locally through
its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapter to update the WebDataBinder at the end after all
other initialization. In order to do that, a Spring Boot application can declare
a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring
WebFlux).

For example in Spring MVC (and similar in WebFlux):

package car.app;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations;
import org.springframework.context.annotation.Bean;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.method.annotation.InitBinderDataBinderFactory;
import org.springframework.web.method.support.InvocableHandlerMethod;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory;


@SpringBootApplication
public class MyApp {


	public static void main(String[] args) {
		SpringApplication.run(CarApp.class, args);
	}


	@Bean
	public WebMvcRegistrations mvcRegistrations() {
		return new WebMvcRegistrations() {
			@Override
			public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
				return new ExtendedRequestMappingHandlerAdapter();
			}
		};
	}


	private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {

		@Override
		protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {

			return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {

				@Override
				protected ServletRequestDataBinder createBinderInstance(
						Object target, String name, NativeWebRequest request) throws Exception {
					
					ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
					String[] fields = binder.getDisallowedFields();
					List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());
					fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
					binder.setDisallowedFields(fieldList.toArray(new String[] {}));
					return binder;
				}
			};
		}
	}
}
Copy

For Spring MVC without Spring Boot, an application can switch from @EnableWebMvc
to extending DelegatingWebMvcConfiguration directly as described in Advanced
Config section of the documentation, then overriding the
createRequestMappingHandlerAdapter method.


MISCONCEPTIONS

There was speculation surrounding the commit to deprecate SerializationUtils.
This class has only one usage within the framework and is not exposed to
external input. The deprecation is unrelated to this vulnerability.

There was confusion with a CVE for Spring Cloud Function which was released just
before the report for this vulnerability. It is also unrelated.


Please enable JavaScript to view the comments powered by Disqus.

Get the Spring newsletter

*




*

Yes, I would like to be contacted by The Spring Team and VMware for newsletters,
promotions and events



Subscribe


GET AHEAD

VMware offers training and certification to turbo-charge your progress.

Learn more


GET SUPPORT

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache
Tomcat® in one simple subscription.

Learn more


UPCOMING EVENTS

Check out all the upcoming events in the Spring community.

View all

Why Spring

 * Microservices
 * Reactive
 * Event Driven
 * Cloud
 * Web Applications
 * Serverless
 * Batch

Learn

 * Quickstart
 * Guides
 * Blog

Community

 * Events
 * Team

Projects

Training

Support

Thank You

© 2022 VMware, Inc. or its affiliates. Terms of Use • Privacy • Trademark
Guidelines • Thank you • Your California Privacy Rights • Cookie Settings

Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra™, and Apache Geode™ are
trademarks or registered trademarks of the Apache Software Foundation in the
United States and/or other countries. Java™, Java™ SE, Java™ EE, and OpenJDK™
are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered
trademark of the Linux Foundation in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and
other countries. Windows® and Microsoft® Azure are registered trademarks of
Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or
registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks
and copyrights are property of their respective owners and are only mentioned
for informative purposes. Other names may be trademarks of their respective
owners.





We use cookies to provide you with the best experience on our website, to
improve usability and performance and thereby improve what we offer to you. Our
website may also use third-party cookies to display advertising that is more
relevant to you. By clicking on the “Accept All” button you agree to the storing
of cookies on your device. If you want to know more about how we use cookies,
please see our Cookie Policy.

Cookie Settings Accept All Cookies



COOKIE PREFERENCE CENTER




GENERAL INFORMATION ON COOKIES

GENERAL INFORMATION ON COOKIES

When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.


 * STRICTLY NECESSARY
   
   STRICTLY NECESSARY
   
   Always Active
   Strictly Necessary
   
   Strictly necessary cookies are always enabled since they are essential for
   our website to function. They enable core functionality such as security,
   network management, and website accessibility. You can set your browser to
   block or alert you about these cookies, but this may affect how the website
   functions. For more information please visit www.aboutcookies.org or
   www.allaboutcookies.org.
   
   Cookie Details‎


 * PERFORMANCE
   
   PERFORMANCE
   
   Performance
   
   Performance cookies are used to analyze the user experience to improve our
   website by collecting and reporting information on how you use it. They allow
   us to know which pages are the most and least popular, see how visitors move
   around the site, optimize our website and make it easier to navigate.
   
   Cookie Details‎


 * FUNCTIONAL
   
   FUNCTIONAL
   
   Functional
   
   Functional cookies help us keep track of your past browsing choices so we can
   improve usability and customize your experience. These cookies enable the
   website to remember your preferred settings, language preferences, location
   and other customizable elements such as font or text size. If you do not
   allow these cookies, then some or all of these services may not function
   properly.
   
   Cookie Details‎


 * ADVERTISING
   
   ADVERTISING
   
   Advertising
   
   Advertising cookies are used to send you relevant advertising and promotional
   information. They may be set through our site by third parties to build a
   profile of your interests and show you relevant advertisements on other
   sites. These cookies do not directly store personal information, but their
   function is based on uniquely identifying your browser and internet device.
   
   Cookie Details‎


 * SOCIAL MEDIA
   
   SOCIAL MEDIA
   
   Social Media
   
   Social media cookies are intended to facilitate the sharing of content and to
   improve the user experience. These cookies can sometimes track your
   activities. We do not control social media cookies and they do not allow us
   to gain access to your social media accounts. Please refer to the relevant
   social media platform’s privacy policies for more information.
   
   Cookie Details‎

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   
   View Third Party Cookies
   
    * Name
      cookie name



Clear Filters

Information storage and access
Apply
Confirm My Choices Allow All