Spring4Shell Zero-Day Vulnerability (CVE-2022-22965) & Spring Cloud Function (CVE-2022-22963) Vulnerability– Do You Need to Worry About Them?

Recently, highly potent zero-day vulnerabilities in Java have come to the fore. They are called the Spring4Shell Zero-Day RCE Vulnerability CVE-2022-22965 and Spring Cloud Function vulnerability (CVE-2022-22963). Before understanding the potency of these vulnerabilities, let’s understand about the Spring- Java application framework.

What is the Java Spring Framework?

Spring is a widely used lightweight Java platform application framework that allows developers to easily develop Java applications with enterprise-level features which are then deployed as an application on servers such as Apache Tomcat or as stand-alone packages with all the required dependencies.

Spring Cloud Function is a function computing framework based on Spring Boot. It allows developers to focus on implementing business logic and improving the efficiency in development. Spring Cloud Function is used by many tech giants including AWS Lambda, Azure, Google Cloud Functions, Apache OpenWhisk, and other serverless service providers.

A Remote Code Execution vulnerability exists in Spring Cloud Function (CVE-2022-22963) versions 3.1.7 & 3.2.3. An unauthenticated attacker can exploit the vulnerability by injecting malicious SpEL (Spring Expression Language) expressions into crafted HTTP request headers by constructing specific data packets leading to arbitrary remote code execution on the target system.

Spring has also confirmed the zero-day vulnerability dubbed Spring4Shell (CVE-2022-22965) in Spring Framework versions below 5.3.18 and 5.2.20 which could be exploited by an attacker to achieve arbitrary code execution. Spring Framework versions 5.3.18 and 5.2.20 have been released to address the vulnerability. The vulnerability affects Spring WebFlux and SpringMVC applications running on JDK 9+.

What Are the Risks?

A remote unauthenticated attacker can easily exploit the vulnerability and successful exploitation can grant full control of the victim’s system. Both vulnerabilities are known to be actively exploited in the wild since the PoCs surfaced online and are available in public.

Severity: Critical

CVSSv3.1: Base Score:9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score:…