CVE-2022-22965

Name of the Vulnerable Software and Affected Versions Spring Framework versions prior to 5.2.20 and 5.3.18 Spring Boot versions prior to 2.5.12 and 2.6.6 libspring-aop-java - 4.3.22-4ubuntu0.1esm1 libspring-beans-java - 4.3.22-4ubuntu0.1esm1 libspring-context-java - 4.3.22-4ubuntu0.1esm1 libspring-context-support-java - 4.3.22-4ubuntu0.1esm1 libspring-core-java - 4.3.22-4ubuntu0.1esm1 libspring-expression-java - 4.3.22-4ubuntu0.1esm1 libspring-instrument-java - 4.3.22-4ubuntu0.1esm1 libspring-jdbc-java - 4.3.22-4ubuntu0.1esm1 libspring-jms-java - 4.3.22-4ubuntu0.1esm1 libspring-messaging-java - 4.3.22-4ubuntu0.1esm1 libspring-orm-java - 4.3.22-4ubuntu0.1esm1 libspring-oxm-java - 4.3.22-4ubuntu0.1esm1 libspring-test-java - 4.3.22-4ubuntu0.1esm1 libspring-transaction-java - 4.3.22-4ubuntu0.1esm1 libspring-web-java - 4.3.22-4ubuntu0.1esm1 libspring-web-portlet-java - 4.3.22-4ubuntu0.1esm1 libspring-web-servlet-java - 4.3.22-4ubuntu0.1~esm1

Description The Spring Framework contains a flaw in how it handles web requests via data binding. This issue could allow a remote attacker to achieve remote code execution and potentially obtain sensitive information. The vulnerability is exploitable when the application runs on JDK 9 or higher with Apache Tomcat as the servlet container and is packaged as a WAR file. While the default Spring Boot executable jar deployment is not directly vulnerable, the underlying issue may present other exploitation vectors. Reports indicate that millions of installations may be affected, and active exploitation attempts have been observed. The vulnerability involves the potential for malicious code execution through manipulation of data binding processes. The WebDataBinder component and its associated disallowedFields setting are central to the issue.

Recommendations Upgrade Spring Framework to version 5.2.20 or 5.3.18. Upgrade Spring Boot to version 2.5.12 or 2.6.6. For systems running libspring-aop-java, libspring-beans-java, libspring-context-java, libspring-context-support-java, libspring-core-java, libspring-expression-java, libspring-instrument-java, libspring-jdbc-java, libspring-jms-java, libspring-messaging-java, libspring-orm-java, libspring-oxm-java, libspring-test-java, libspring-transaction-java, libspring-web-java, libspring-web-portlet-java, and libspring-web-servlet-java, update to version 4.3.22-4ubuntu0.1~esm1. As a workaround, consider setting disallowedFields on WebDataBinder through an @ControllerAdvice. Alternatively, extend RequestMappingHandlerAdapter to update the WebDataBinder after all other initialization.