Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities
No violationsstackroxcriticalbuilddeployAlert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions).
- Rationale
- In Spring Cloud Function, when using routing functionality, a user can provide a specially crafted SpEL as a routing-expression that may result in remote code execution (RCE) and access to local resources. For Spring Framework, a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to RCE via data binding.
- Remediation
- Upgrade Spring Cloud Function to version 3.1.7 or 3.2.3. Upgrade Spring Framework to version 5.3.18+ (if currently on 5.3.x) or 5.2.20+ (if currently on 5.2.x). If not possible to upgrade Spring Framework, then apply an appropriate workaround from the suggested workarounds on https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
CategoriesVulnerability Management
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.8
- NIST SP 800-53 rev. 5
- RA-5
- PCI DSS 4.0
- 6.3.1
- SOC 2 2017 TSC
- CC7.1
Generated artifacts
1 of 5 targets supportedspring4shell-spring-framework-remote-code-execution-and-spring.rego
# Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities (trivy)
# severity: critical
# source: stackrox/d03e0723-ef09-44da-bf29-fdd9e576fbf9
package trivy.spring4shell_spring_framework_remote_code_execution_and_spring
deny[msg] {
# rule 1
some v
v := input.Vulnerabilities[_]
v.VulnerabilityID == {"CVE-2022-22963", "CVE-2022-22965"}[_]
msg := "[critical] Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities: Alert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions)."
}
IR (canonical)
{
"id": "d03e0723-ef09-44da-bf29-fdd9e576fbf9",
"name": "Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities",
"description": "Alert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions).",
"rationale": "In Spring Cloud Function, when using routing functionality, a user can provide a specially crafted SpEL as a routing-expression that may result in remote code execution (RCE) and access to local resources. For Spring Framework, a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to RCE via data binding.",
"remediation": "Upgrade Spring Cloud Function to version 3.1.7 or 3.2.3. Upgrade Spring Framework to version 5.3.18+ (if currently on 5.3.x) or 5.2.20+ (if currently on 5.2.x). If not possible to upgrade Spring Framework, then apply an appropriate workaround from the suggested workarounds on https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement",
"severity": "critical",
"categories": [
"Vulnerability Management"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "cve",
"values": [
"CVE-2022-22963",
"CVE-2022-22965"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "d03e0723-ef09-44da-bf29-fdd9e576fbf9",
"name": "Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities",
"description": "Alert on deployments with images containing Spring4Shell vulnerability CVE-2022-22965 which affects the Spring MVC component and vulnerability CVE-2022-22963 which affects the Spring Cloud component. There are flaws in Spring Cloud Function (versions 3.1.6, 3.2.2 and older unsupported versions) and in Spring Framework (5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older unsupported versions).",
"rationale": "In Spring Cloud Function, when using routing functionality, a user can provide a specially crafted SpEL as a routing-expression that may result in remote code execution (RCE) and access to local resources. For Spring Framework, a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to RCE via data binding.",
"remediation": "Upgrade Spring Cloud Function to version 3.1.7 or 3.2.3. Upgrade Spring Framework to version 5.3.18+ (if currently on 5.3.x) or 5.2.20+ (if currently on 5.2.x). If not possible to upgrade Spring Framework, then apply an appropriate workaround from the suggested workarounds on https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement",
"disabled": false,
"categories": [
"Vulnerability Management"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "CRITICAL_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "CVE",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "CVE-2022-22963"
},
{
"value": "CVE-2022-22965"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}