Vanderbilt Enterprise Cybersecurity’s (VEC) Security Operations and Services is issuing this communication to inform you of critical vulnerability that is exploitable within the Spring Framework. This vulnerability allows a bad actor to possibly execute unauthenticated remote code and push a webshell to the compromised device.
CVE-2022-22965: SpringShell
Affected Software and Versions:
• Java Development Kit 9 or higher
• Apache Tomcat as the Servlet container
• spring-webmvc or spring-webflux dependency
• Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and all older versions
Next Steps:
Check for and apply Spring Framework updates. Specifically, versions 5.3.18 and 5.2.20. For Apache Tomcat, update to versions 10.0.20, 9.0.62, 8.5.78.
For full details on the CVE please reference the below sources. If such activity is suspected, Administrators should report it to VEC Threat Detection & Response for further investigation.
VEC Security Operations and Services will continue to monitor developments for this vulnerability and communicate if further action is required.
Resources:
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
• https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/
• https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulne…
• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announceme…