ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Explore the right questions to ask before buying a Cyber Governance, Risk & Compliance solution.

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close

MetricStream Security Advisory for Spring Framework/Spring Cloud Update 1.0

Updated on 4th April 2022

Description

On March 28, 2022, an initial vulnerability CVE-2022-22950 was reported. The following day CVE-2022-22963 and CVE-2022-22965 were reported in Spring Project and Spring Framework, respectively. The following table provides the affected components and dependencies.

 

CVE

Severity

Impacted Spring Component

CVE-2022-22965

Critical

Spring Framework (Multiple dependencies)

CVE-2022-22963

Critical

Spring Cloud Function v3.1.6 and v3.2.2

CVE-2022-22950

Medium

Spring Framework 5.3.0 to 5.3.16

CVE-2022-22965

This vulnerability can be exploited only if ALL of the following conditions are met:

1. Spring Web MVC or Spring Webflux projects AND

2. Spring Framework version 5.3.x prior to 5.3.18, and all versions prior to 5.2.20 AND

3. Java 1.9 or above AND

4. Deployed on Tomcat App Server as a WAR AND

5. Spring Web MVC with parameter binding (enabled by default) AND

6. Don’t have an allow-list of HTTP fields registered to be allowed or explicitly disallow fields that could cause malicious intent.

Affected Products and Patch Information

CVE-2022-22965

No Impact for Cloud.

For On Premise customers using WAR packaged deployment of Colorado or Danube release there may be impacts. Contact your account team for more information and applicable patches.

No Impacts to Cloud or On Premise Customers

CVE-2022-22963

The MetricStream Application does not use Spring Cloud Function and this library is not included in MetricStream Application

CVE-2022-22950

While discovery and research evolve, MetricStream is committed to reevaluating the impact as new information becomes available.

References

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

CVE-2022-22950: Spring Expression DoS Vulnerability

https://spring.io/blog/2022/03/28/cve-report-published-for-spring-framework

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed

https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework

New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk