9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
The VMware Spring Framework is prone to a remote code execution
(RCE) vulnerability dubbed
# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:vmware:spring_framework";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.113865");
script_version("2023-12-01T16:11:30+0000");
script_tag(name:"last_modification", value:"2023-12-01 16:11:30 +0000 (Fri, 01 Dec 2023)");
script_tag(name:"creation_date", value:"2022-03-31 07:40:33 +0000 (Thu, 31 Mar 2022)");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-04-08 17:43:00 +0000 (Fri, 08 Apr 2022)");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2022-22965");
script_name("VMware Spring Framework RCE Vulnerability (Spring4Shell, SpringShell) - Version Check");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2022 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_vmware_spring_framework_consolidation.nasl");
script_mandatory_keys("vmware/spring/framework/detected");
script_xref(name:"URL", value:"https://tanzu.vmware.com/security/cve-2022-22965");
script_xref(name:"URL", value:"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement");
script_xref(name:"URL", value:"https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds");
script_xref(name:"URL", value:"https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative");
script_xref(name:"URL", value:"https://lists.apache.org/thread/5grm3b0g6co2rcw3tov34vx8r3ws9x6y");
script_xref(name:"URL", value:"https://lists.apache.org/thread/k1oknlyc28x25k3tnr9chr8wc37yrxlw");
script_xref(name:"URL", value:"https://lists.apache.org/thread/4318xzl2f9o8j3x56gx46vlst5myroc0");
script_xref(name:"URL", value:"https://www.praetorian.com/blog/spring-core-jdk9-rce/");
script_xref(name:"URL", value:"https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed");
script_xref(name:"URL", value:"https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/");
script_xref(name:"URL", value:"https://bugalert.org/content/notices/2022-03-30-spring.html");
script_xref(name:"URL", value:"https://www.intruder.io/blog/spring4shell-cve-2022-22965");
script_xref(name:"URL", value:"https://twitter.com/RandoriAttack/status/1509298490106593283");
script_xref(name:"URL", value:"https://github.com/alt3kx/CVE-2022-22965");
script_tag(name:"summary", value:"The VMware Spring Framework is prone to a remote code execution
(RCE) vulnerability dubbed 'Spring4Shell' or 'SpringShell'.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"A Spring MVC or Spring WebFlux application running on JDK 9+ may
be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the
application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot
executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the
vulnerability is more general, and there may be other ways to exploit it.");
script_tag(name:"affected", value:"VMware Spring Framework versions prior to 5.2.20 and 5.3.x
prior to 5.3.18.
The following are the requirements for an environment to be affected to this specific
vulnerability:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot
deployments using an embedded Servlet container or reactive web server are not impacted.
- spring-webmvc or spring-webflux dependency
- an affected version of the Spring Framework");
script_tag(name:"solution", value:"Update to version 5.2.20, 5.3.18 or later.
Possible mitigations without doing an update:
- Upgrading Tomcat (10.0.20, 9.0.62 or 8.5.78 hardened the class loader to provide a mitigation)
- Downgrading to Java 8
- Disallowed Fields
Please see the references for more information on these mitigation possibilities.");
# nb: Apps / systems are only affected when running on Tomcat with additional constraints like
# being a Web MVC or WebFlux application...
script_tag(name:"qod_type", value:"executable_version_unreliable");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if( isnull( port = get_app_port( cpe:CPE ) ) )
exit( 0 );
if( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )
exit( 0 );
version = infos["version"];
location = infos["location"];
if( version_is_less( version:version, test_version:"5.2.20" ) ) {
report = report_fixed_ver( installed_version:version, fixed_version:"5.2.20/5.3.18", install_path:location );
security_message( port:port, data:report );
exit( 0 );
}
if( version_in_range_exclusive( version:version, test_version_lo:"5.3.0", test_version_up:"5.3.18" ) ) {
report = report_fixed_ver( installed_version:version, fixed_version:"5.3.18", install_path:location );
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed
bugalert.org/content/notices/2022-03-30-spring.html
github.com/alt3kx/CVE-2022-22965
lists.apache.org/thread/4318xzl2f9o8j3x56gx46vlst5myroc0
lists.apache.org/thread/5grm3b0g6co2rcw3tov34vx8r3ws9x6y
lists.apache.org/thread/k1oknlyc28x25k3tnr9chr8wc37yrxlw
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds
spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative
tanzu.vmware.com/security/cve-2022-22965
twitter.com/RandoriAttack/status/1509298490106593283
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.intruder.io/blog/spring4shell-cve-2022-22965
www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
www.praetorian.com/blog/spring-core-jdk9-rce/
Known Exploited Vulnerability (KEV) catalog
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%