en en

Confirmed remote code execution (RCE) in Spring Core, an extremely popular Java framework (CVE-2022-22965)

Posted on March 30, 2022 in Software Frameworks, Libraries, and Components


Praetorian has confirmed that a remote code execution vulnerability exists in Spring, an extremely popular Java framework. How broadly this impacts the Spring ecosystem remains unclear. The flaw has been assigned a bug alert severity of 'critical'.


Updated Notice, 10:00AM New York Time

This flaw has been assigned CVE-2022-22965, and the Spring team is now issuing fixes. Please follow their post here for further updates.

Original Notice

This is not related to CVE-2022-22963, Spring Cloud Function, or SpEL routing expressions. That is a separate, (possibly?) less widespread issue documented here. Sadly, both are being referred to broadly as 'Spring4Shell', significantly adding to the confusion. We suggest the community refrain from using the term.

Praetorian has confirmed the existence of the remote code execution vulnerability that impacts Spring Core. Praetorian has also confirmed online rumors of the issue being caused by a partial fix to a very old issue, CVE-2010-1622. Unfortunately, proof-of-concept code is now widely available and is likely to be weaponized. What we don't know, though, is how widespread this issue really is, or how easily exploited it will be in the real world. As of late in the evening on March 30th, New York time, there's not much evidence yet that it will be exploitable in common configurations.

There is currently no patch. The existing proof-of-concept, as well as the proof-of-concept from 2010, both reference class.module.classLoader when constructing the attack. Bug Alert therefore recommends testing and deploying a WAF rule that analyzes request bodies for requests containing the term classLoader. Please remember that regex-based WAF rules are often easily bypassed, so do not regard this as a long-term solution.

Continue to monitor the Praetorian blog and the Bug Alert discussion thread (linked below) for further information. Once available, official notice from the Spring project is likely to be placed on the VMware Tanzu security advisories page (VMware owns the Spring project). It's likely they will also furnish a blog post with further information at a later time.

Rapid7 has put together a fantastic writeup with technical details. Their blog post also details some of the configurations that are required for the exploit to be successful, and they have committed to using that venue to provide additional information as it becomes available.

If you have feedback or questions, please comment on the discussion thread linked below. This notice cost the project approximately $150 USD to send. If you would like to support the project, you can learn more here

Additional vulnerability discussion can be found on GitHub.
Have information to contribute? Make a pull request!