Lucene search

K
f5F5F5:K11510688
HistoryMar 31, 2022 - 12:00 a.m.

K11510688 : Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963

2022-03-3100:00:00
my.f5.com
548
spring framework
remote code execution
denial of service
spring cloud
routing expression

AI Score

8.9

Confidence

High

EPSS

0.975

Percentile

100.0%

Security Advisory Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Impact

There is no impact; F5 products and services and NGINX products are not affected by this vulnerability.