×

MetricStream Security Advisory for Spring Framework/Spring Cloud Update 1.0

Updated on 4th April 2022


Description

On March 28, 2022, an initial vulnerability CVE-2022-22950 was reported. The following day CVE-2022-22963 and CVE-2022-22965 were reported in Spring Project and Spring Framework, respectively. The following table provides the affected components and dependencies.

 

CVE

Severity

Impacted Spring Component

CVE-2022-22965

Critical

Spring Framework (Multiple dependencies)

CVE-2022-22963

Critical

Spring Cloud Function v3.1.6 and v3.2.2

CVE-2022-22950

Medium

Spring Framework 5.3.0 to 5.3.16


CVE-2022-22965

This vulnerability can be exploited only if ALL of the following conditions are met:

1. Spring Web MVC or Spring Webflux projects AND

2. Spring Framework version 5.3.x prior to 5.3.18, and all versions prior to 5.2.20 AND

3. Java 1.9 or above AND

4. Deployed on Tomcat App Server as a WAR AND

5. Spring Web MVC with parameter binding (enabled by default) AND

6. Don’t have an allow-list of HTTP fields registered to be allowed or explicitly disallow fields that could cause malicious intent.


Affected Products and Patch Information

CVE-2022-22965

No Impact for Cloud.

For On Premise customers using WAR packaged deployment of Colorado or Danube release there may be impacts. Contact your account team for more information and applicable patches.


No Impacts to Cloud or On Premise Customers

CVE-2022-22963

The MetricStream Application does not use Spring Cloud Function and this library is not included in MetricStream Application

CVE-2022-22950

While discovery and research evolve, MetricStream is committed to reevaluating the impact as new information becomes available.


References

https://tanzu.vmware.com/security/cve-2022-22965

https://tanzu.vmware.com/security/cve-2022-22963

https://tanzu.vmware.com/security/cve-2022-22950

https://spring.io/blog/2022/03/28/cve-report-published-for-spring-framework

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed

https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework

https://www.contrastsecurity.com/security-influencers/new-spring4shell-vulnerability-confirmed-what-it-is-and-how-to-be-prepared

Ready to get started?

Speak to our experts