spring.io
Open in
urlscan Pro
2606:4700:10::6814:5f7
Public Scan
URL:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Submission: On April 27 via api from IL — Scanned from DE
Submission: On April 27 via api from IL — Scanned from DE
Form analysis
3 forms found in the DOMGET /search
<form id="searchheaderform" action="/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="✓">
<input type="text" name="q" id="searchheaderinput" autocomplete="off" placeholder="Search for documentation, guides, and posts...">
<input type="submit" value="" id="searchheadersubmit" data-disable-with="">
</form>
<form id="mktoForm_4723" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 419px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="gdprconsent" id="Lblgdprconsent" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth mktoRequired" style="width: 280px;"><input name="gdprconsent" id="mktoCheckbox_105599_0" type="checkbox"
value="Yes, I would like to be contacted by The Spring Team and VMware for newsletters, promotions and events" aria-required="true" aria-labelledby="Lblgdprconsent LblmktoCheckbox_105599_0 Instructgdprconsent" class="mktoField"><label
for="mktoCheckbox_105599_0" id="LblmktoCheckbox_105599_0">Yes, I would like to be contacted by The Spring Team and VMware for newsletters, promotions and events</label></div><span id="Instructgdprconsent" tabindex="-1"
class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="4723"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="625-IUJ-009">
</form>
<form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>
Text Content
* Why Spring * Learn * Projects * Training * Support * Community * * Overview * Microservices * Reactive * Event Driven * Cloud * Web Applications * Serverless * Batch * Overview * Quickstart * Guides * Blog * Overview * Spring Boot * Spring Framework * Spring Cloud * Spring Cloud Data Flow * Spring Data * Spring Integration * Spring Batch * Spring Security * View all projects * Development Tools * Spring Tools 4 * Spring Initializr * Overview * Events * Team close Why Spring * Overview * Microservices * Reactive * Event Driven * Cloud * Web Applications * Serverless * Batch Learn * Overview * Quickstart * Guides * Blog Projects * Overview * Spring Boot * Spring Framework * Spring Cloud * Spring Cloud Data Flow * Spring Data * Spring Integration * Spring Batch * Spring Security * View all projects Development Tools * Spring Tools 4 * Spring Initializr Training Support Community * Overview * Events * Team SPRING BLOG * All Posts * Engineering * Releases * News and Events SPRING FRAMEWORK RCE, EARLY ANNOUNCEMENT Engineering Rossen Stoyanchev March 31, 2022 255 Comments Updates * [04-13] “Data Binding Rules Vulnerability CVE-2022-22968” follow-up blog post published, related to the “disallowedFields” from the Suggested Workarounds * [04-08] Snyk announces an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release announcement * [04-04] Updated Am I Impacted with improved description for deployment requirements * [04-01] Updated Am I Impacted with additional notes * [04-01] Updated Suggested Workarounds section for Apache Tomcat upgrades and Java 8 downgrades * [04-01] “Mitigation Alternative” follow-up blog post published, announcing Apache Tomcat releases versions 10.0.20, 9.0.62, and 8.5.78 that close the attack vector on Tomcat’s side * [03-31] Spring Boot 2.6.6 is available * [03-31] Spring Boot 2.5.12 is available * [03-31] CVE-2022-22965 is published * [03-31] Added section “Misconceptions” * [03-31] Added section “Am I Impacted” * [03-31] Fix minor issue in the workaround for adding disallowedFields * [03-31] Spring Framework 5.3.18 and 5.2.20 are available TABLE OF CONTENTS * Overview * Vulnerability * Am I Impacted * Status * Suggested Workarounds * Misconceptions OVERVIEW I would like to announce an RCE vulnerability in the Spring Framework that was leaked out ahead of CVE publication. The issue was first reported to VMware late on Tuesday evening, close to Midnight, GMT time by codeplutos, meizjm3i of AntGroup FG. On Wednesday we worked through investigation, analysis, identifying a fix, testing, while aiming for emergency releases on Thursday. In the mean time, also on Wednesday, details were leaked in full detail online, which is why we are providing this update ahead of the releases and the CVE report. VULNERABILITY The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to be packaged and deployed as a traditional WAR on a Servlet container. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. AM I IMPACTED? These are the requirements for the specific scenario from the report: * Running on JDK 9 or higher * Packaged as a traditional WAR and deployed on a standalone Servlet container. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted. * spring-webmvc or spring-webflux dependency. * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Additional notes: * The vulnerability involves ClassLoader access and depends on the actual Servlet Container in use. Tomcat 10.0.19, 9.0.61, 8.5.78, and earlier versions are known to be vulnerable. Payara and Glassfish are also known to be vulnerable. Other Servlet containers may also be vulnerable. * The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation. * The issues does not relate to @RequestBody controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters. STATUS * Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released. * Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released. * CVE-2022-22965 has been published. * Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation Alternative. SUGGESTED WORKAROUNDS The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is not possible to do quickly. For that reason, we have provided some workarounds below. * Upgrading Tomcat * Downgrading to Java 8 * Disallowed Fields Please note that, workarounds are not necessarily mutually exclusive since security is best done “in depth”. UPGRADING TOMCAT For older applications, running on Tomcat with an unsupported Spring Framework version, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78, provides adequate protection. However, this should be seen as a tactical solution, and the main goal should be to upgrade to a currently supported Spring Framework version as soon as possible. If you take this approach, you should consider setting Disallowed Fields as well for defense in depth approach. DOWNGRADING TO JAVA 8 Downgrading to Java 8 is a viable workaround, if you can neither upgrade the Spring Framework nor upgrade Apache Tomcat. DISALLOWED FIELDS Another viable workaround is to disable binding to particular fields by setting disallowedFieldson WebDataBinder globally: @ControllerAdvice @Order(Ordered.LOWEST_PRECEDENCE) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; dataBinder.setDisallowedFields(denylist); } }Copy This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting. To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux). For example in Spring MVC (and similar in WebFlux): package car.app; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations; import org.springframework.context.annotation.Bean; import org.springframework.web.bind.ServletRequestDataBinder; import org.springframework.web.context.request.NativeWebRequest; import org.springframework.web.method.annotation.InitBinderDataBinderFactory; import org.springframework.web.method.support.InvocableHandlerMethod; import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter; import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory; @SpringBootApplication public class MyApp { public static void main(String[] args) { SpringApplication.run(CarApp.class, args); } @Bean public WebMvcRegistrations mvcRegistrations() { return new WebMvcRegistrations() { @Override public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() { return new ExtendedRequestMappingHandlerAdapter(); } }; } private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter { @Override protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) { return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) { @Override protected ServletRequestDataBinder createBinderInstance( Object target, String name, NativeWebRequest request) throws Exception { ServletRequestDataBinder binder = super.createBinderInstance(target, name, request); String[] fields = binder.getDisallowedFields(); List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList()); fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*")); binder.setDisallowedFields(fieldList.toArray(new String[] {})); return binder; } }; } } } Copy For Spring MVC without Spring Boot, an application can switch from @EnableWebMvc to extending DelegatingWebMvcConfiguration directly as described in Advanced Config section of the documentation, then overriding the createRequestMappingHandlerAdapter method. MISCONCEPTIONS There was speculation surrounding the commit to deprecate SerializationUtils. This class has only one usage within the framework and is not exposed to external input. The deprecation is unrelated to this vulnerability. There was confusion with a CVE for Spring Cloud Function which was released just before the report for this vulnerability. It is also unrelated. Please enable JavaScript to view the comments powered by Disqus. Get the Spring newsletter * * Yes, I would like to be contacted by The Spring Team and VMware for newsletters, promotions and events Subscribe GET AHEAD VMware offers training and certification to turbo-charge your progress. Learn more GET SUPPORT Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription. Learn more UPCOMING EVENTS Check out all the upcoming events in the Spring community. View all Why Spring * Microservices * Reactive * Event Driven * Cloud * Web Applications * Serverless * Batch Learn * Quickstart * Guides * Blog Community * Events * Team Projects Training Support Thank You © 2022 VMware, Inc. or its affiliates. Terms of Use • Privacy • Trademark Guidelines • Thank you • Your California Privacy Rights • Cookie Settings Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra™, and Apache Geode™ are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java™, Java™ SE, Java™ EE, and OpenJDK™ are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners. We use cookies to provide you with the best experience on our website, to improve usability and performance and thereby improve what we offer to you. Our website may also use third-party cookies to display advertising that is more relevant to you. By clicking on the “Accept All” button you agree to the storing of cookies on your device. If you want to know more about how we use cookies, please see our Cookie Policy. Cookie Settings Accept All Cookies COOKIE PREFERENCE CENTER GENERAL INFORMATION ON COOKIES GENERAL INFORMATION ON COOKIES When you visit our website, we use cookies to ensure that we give you the best experience. This information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies by clicking on the different category headings to find out more and change your settings. However, blocking some types of cookies may impact your experience on the site and the services we are able to offer. Further information can be found in our Cookie Policy. * STRICTLY NECESSARY STRICTLY NECESSARY Always Active Strictly Necessary Strictly necessary cookies are always enabled since they are essential for our website to function. They enable core functionality such as security, network management, and website accessibility. You can set your browser to block or alert you about these cookies, but this may affect how the website functions. For more information please visit www.aboutcookies.org or www.allaboutcookies.org. Cookie Details * PERFORMANCE PERFORMANCE Performance Performance cookies are used to analyze the user experience to improve our website by collecting and reporting information on how you use it. They allow us to know which pages are the most and least popular, see how visitors move around the site, optimize our website and make it easier to navigate. Cookie Details * FUNCTIONAL FUNCTIONAL Functional Functional cookies help us keep track of your past browsing choices so we can improve usability and customize your experience. These cookies enable the website to remember your preferred settings, language preferences, location and other customizable elements such as font or text size. If you do not allow these cookies, then some or all of these services may not function properly. Cookie Details * ADVERTISING ADVERTISING Advertising Advertising cookies are used to send you relevant advertising and promotional information. They may be set through our site by third parties to build a profile of your interests and show you relevant advertisements on other sites. These cookies do not directly store personal information, but their function is based on uniquely identifying your browser and internet device. Cookie Details * SOCIAL MEDIA SOCIAL MEDIA Social Media Social media cookies are intended to facilitate the sharing of content and to improve the user experience. These cookies can sometimes track your activities. We do not control social media cookies and they do not allow us to gain access to your social media accounts. Please refer to the relevant social media platform’s privacy policies for more information. Cookie Details Back Button ADVERTISING COOKIES Filter Button Consent Leg.Interest Select All Vendors Select All Vendors Select All Hosts Select All * REPLACE-WITH-DYANMIC-HOST-ID View Third Party Cookies * Name cookie name Clear Filters Information storage and access Apply Confirm My Choices Allow All