Spring Framework RCE via Data Binding on JDK 9+ Vulnerability (CVE-2022-22965)

Last update: 4 April 2022

ID: FSC33127

Affected Components: Identity Provider of the Fabasoft Cloud, Fabasoft Secomo

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, Base Score: 9.8

Status: Final

First published 04.04.2022

CVE: CVE-2022-22965

Summary

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Two components of the Fabasoft Cloud used the Spring framework with the affected version: Identity Provider of the Fabasoft Cloud and Fabasoft Secomo.

Impact

Remote code execution (RCE) would have be potentially possible on the affected components.

Remediation

Fabasoft has provided a hotfix in the Fabasoft Cloud for all affected components on 01. April 2022 by updating the Spring framework to the latest version 5.3.18. No other remediation is required by the customer.

Note: Fabasoft Folio and the Fabasoft eGov-Suite do not make use of the Spring framework and are therefore not affected.

More Information

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://tanzu.vmware.com/security/cve-2022-22965