CVE-2022-22965: UAA affected by Spring Framework RCE via Data Binding on JDK 9+ | Cloud Foundry

Severity

Critical

Vendor

Cloud Foundry Foundation

Description

In Cloud Foundry UAA, a remote code execution vulnerability is present due to an issue in the Spring Framework identified by CVE-2022-22965. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

Affected Cloud Foundry Products and Versions

Severity is critical unless otherwise noted.

• UAA Release (OSS)
  • Versions 74.2.0 – 75.17.0
• CF Deployment
  • Version 12.1.0 and above but below version 20.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• UAA Release (OSS)
  • Upgrade affected versions to 75.18.0 or greater.
• CF Deployment
  • Upgrade affected versions to 20.0 or greater.
  • Alternatively a workaround can be deployed on affected versions.

**Workaround for CF Deployment **

1. Create a temporary ops file with the following content:

- type: replace
  path: /releases/name=uaa
  value:
      name: uaa
      url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=75.18.0
      version: "75.18.0"
      sha1: 5f9c63ecf952e94ff3ce229eed25069c7ce2a6b0  

2. Apply this ops-file during subsequent bosh deploys for cf-deployment, until you upgrade cf-deployment to a version where this CVE is fixed. For more information on how to apply ops-files, read the section of the README: <https://github.com/cloudfoundry/cf-deployment#ops-files&gt;

References:

<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&gt;

History

2022-04-05: Initial vulnerability report published.
2022-04-21: Added fixed version of CF Deployment