Spring4Shell remediation guide

Published
Updated

Two new (and unrelated) vulnerabilities (CVE-2022-22965) and (CVE-2022-22963) have been published at the same time, creating confusion and headaches for all involved trying to remediate them.

It is important to understand that these two vulnerabilities are not related. They affect different libraries and require different vectors of attack.

What exactly are these vulnerabilities?

  • CVE-2022-22965 - identifies the ability to perform remote code execution when Spring Framework / Spring Boot libraries prior to 5.3.18 and 5.2.20 are present. This has come to be known as Spring4Shell and is currently has the larger impact of the two vulnerabilities that were announced.
  • CVE-2022-22963 - is a vulnerability in which specially crafted Spring Expression Language (SpEL) routing-expressions can be used to remotely execute code via Spring Cloud Functions.

How do I know if I am vulnerable?

If your application is running a version of:

  • Spring Framework prior to 5.3.18 or 5.2.20
  • Spring Boot prior to 2.5.16 or 2.6.6
  • Spring Cloud prior to 3.2.3 or 3.1.7

Then you will need to update these dependencies as soon as possible.

Additionally, if these packages are used within a third party application that you are running, they are currently known to be exploitable given the following environmental conditions:

  • Running on Java JDK9 or greater
  • Using Apache Tomcat as an application server or deployed as a traditional WAR file.

How to remediate CVE-2022-22965 for Spring Framework and Boot

Update your Spring Framework and Spring Boot dependencies, including your parent / starters if currently utilized.

If you are on Spring Boot 2.6.x

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter</artifactId>
    <version>2.6.6</version>
</dependency>

If you are on Spring Boot 2.5.x

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter</artifactId>
    <version>2.5.12</version>
</dependency>

You also need to update any versions of Spring Framework that may be included in your project to 5.3.18 or 5.2.20

If you are on Spring Framework 5.3.x

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>5.3.18</version>
</dependency>

If you are on Spring Framework 5.2.x

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>5.2.20</version>
</dependency>

Additionally you will need to update any other one-off Spring dependencies depending on how you are including them.

For example, if you are using Spring Web, a 5.2.20 and 5.3.18 releases are available respectively:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>5.3.18</version>
</dependency>

How to remediate CVE-2022-22963 for Spring Cloud

Simply update your dependencies and update your Spring-Cloud function dependency to 3.1.7 or 3.2.3. The following are some examples in Maven on how to update your pom.xml:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-function-core</artifactId>
    <version>3.2.3</version>
</dependency>

Also remember to update your adapter versions!

For example, if you are using Spring Cloud to deploy to AWS:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-function-adapter-aws</artifactId>
    <version>3.2.3</version>
</dependency>

For Azure:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-function-adapter-azure</artifactId>
    <version>3.2.3</version>
</dependency>

For Google Cloud Platform (GCP):

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-function-adapter-gcp</artifactId>
    <version>3.2.3</version>
</dependency>

Likewise, if you implement any of the other dependencies for Spring-Cloud make sure you update them as well:

spring-cloud-function-adapter-openwhisk                         
spring-cloud-function-adapter-parent                                                         
spring-cloud-function-context                                   
spring-cloud-function-core                                      
spring-cloud-function-dependencies                              
spring-cloud-function-deployer                                  
spring-cloud-function-grpc                                      
spring-cloud-function-grpc-cloudevent-ext                       
spring-cloud-function-kotlin                                    
spring-cloud-function-parent                                    
spring-cloud-function-rsocket                                   
spring-cloud-function-stream                                    
spring-cloud-function-task                                      
spring-cloud-function-web