Spring4Shell Vulnerability Update

Summary of Vulnerability

CVE-2022-22965 is a reported critical vulnerability targeting the Spring Java framework referred to as Spring4Shell.

This vulnerability affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protections in the library’s HTTP request parser, leading to remote code execution.

For the vulnerability to be exploited the following needs to be met in the effected application:

• Use of JDK 9 or higher
• Have Apache Tomcat as the servlet container
• Be packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
• Use the spring-webmvc or spring-webflux dependency
• Use Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or older versions

Is TJM vulnerable to this exploit?

Once our team was notified of this exploit, we conducted an investigation to determine if we were affected by the vulnerability. We have concluded that TJM is not vulnerable to this exploit.

TJM does utilize JDK 11, and we include the Spring Framework Core library in our code. However, TJM is deployed with WildFly as an application server which utilizes undertow as its servlet container, in contrast to Tomcat which is required to exploit the vulnerability. TJM also does not include either of the spring-webmvc or spring-webflux dependencies. Finally, TJM core code is deployed as Jar files in our deployments rather than WAR files the exploit requires.

Fixes and Mitigation

Spring Framework has released a new version of their libraries with a fix for this CVE, version 5.3.18. TJM will be updated to this release version of Spring Core in the 22.04 release of JM.