Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-3466

Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)

    XMLWordPrintable

Details

    • Spring Force
    • Yes
    • TBD

    Description

      Official announcement from spring.io: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

      There are three recent issues in Spring Framework:

      This Jira is about the last one only. (The others may also be fixed by updating to a fixed version.)

      Fix

      42 FOLIO platform-complete modules use a vulnerable spring version.

      https://github.com/folio-org/platform-complete/actions/workflows/spring-cve-2022-22965.yml automatically maintains a list of all FOLIO back-end modules showing their Spring4Shell status for Kiwi (R3 2021), Lotus (R1 2022), Morning Glory (R2 2022) and Nolana (R3 2022). The list is in "Run cat result.txt".

      Patches are available:

      • Spring Framework 5.3.18 and 5.2.20
      • Spring Boot 2.6.6 and 2.5.12
      • Grails Core 5.1.6

      It is NOT recommended to only apply workarounds (like not using Tomcat/Payara/Glassfish).
      Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

      The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater.

      Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :

      we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

      After applying the patch run

      mvn dependency:tree -Dincludes=org.springframework:spring-beans

      or

      grails dependency-report runtime | grep spring-beans

      and check that spring-beans version is >= 5.3.18 or >= 5.2.20.

      Apply the patch on the default branch (main/master), the R2 2022 Morning Glory branch (if exists), and on the Lotus (R1 2022) branch, and release a patch version for Lotus.

      We don't need any Kiwi back-port because there are no plans for a Kiwi hot fix #3.

      Vulnerability

      Explanation from snyk:

      The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
      Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application.

      The vulnerability is in the spring-beans library of Spring Core in CachedIntrospectionResults.java. See the fix:
      https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
      https://github.com/spring-projects/spring-framework/commit/996f701a1916d10202c1d0d281f06ab1f2e1117e

      For details see
      https://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html
      https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

      Exploit

      Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :

      Note:

      • Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish.
      • However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
      • As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

      Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

      However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

      Requirements to exploit the vulnerability:

      • JDK9 and above (FOLIO uses JDK11)
      • Using the Spring-beans package
      • Spring parameter binding is used
      • Spring parameter binding uses non-basic parameter types, such as general POJOs

      There can be multiple ways to exploit the vulnerability.

      The easiest way to exploit the vulnerability is attacking an installation that runs on an external Tomcat (Apache Tomcat as the Servlet container). This is how the first known and published exploit works. There are reports about ongoing attacks.

      FOLIO modules don't use an external Tomcat. Some use spring-boot-starter-tomcat, the embedded Tomcat, that cannot been attacked by the published exploit.

      FOLIO modules don't use Payara or Glassfish for which public exploits have been published.

      Other exploits are possible but not publicly known and not published.

      Threat

      As Spring Framework is one of the most popular frameworks for Java and for the Java virtual machine (JVM) it is likely that other exploits get developed that affect FOLIO modules - the risk becomes greater over time.

      Therefore the patches should be applied to mitigate this risk.

      Priority for edge modules is P2 because they are not behind Okapi but directly exposed to the internet. Priority for other modules is P3 for Lotus and P2 for Morning Glory and Nolana. Priority to be re-assessed if new findings are made.

      TestRail: Results

        Attachments

          Issue Links

            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. CIRCSTORE-371 mod-pubsub-client 2.7.0, Spring 5.3.23 fixing vulnerabilities

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGCSOFT-35 Spring4Shell Morning Glory (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGCSOFT-36 Spring4Shell Lotus R1 2022 (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGCSOFT-37 Spring4Shell Kiwi R3 2021 (CVE-2022-22965)

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGDEMATIC-63 Spring4Shell Morning Glory (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGDEMATIC-64 Spring4Shell Lotus (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGINREACH-32 Spring4Shell Morning Glory (CVE-2022-22965)

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. EDGINREACH-33 Spring4Shell Lotus/Kiwi (CVE-2022-22965)

            • TBD - To be determined
            • Closed

            Task - A task that needs to be done. ERM-2082 Spring4Shell mod-agreements Morning Glory R2 2022 (CVE-2022-22965)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. ERM-2083 Determine if any modules affected by Spring4Shell (CVE-2022-22965)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Tech Debt - FDIS-17 Spring4Shell RCE (CVE-2022-22965), spring-expression DoS (CVE-2022-22950)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. FDIS-19 Release folio-di-support 1.5.1

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. MDEXP-529 Spring4Shell mod-data-export-spring-migrated (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODAUD-118 Spring4Shell Lotus R1 2022 (CVE-2022-22965)

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODAUD-119 Spring4Shell Morning Glory R2 2022 (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODCFIELDS-69 Upgrade Spring, RMB, folio-di-support (CVE-2022-22965)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODDATAIMP-730 Spring 5.3, kafkaclients 3.2.3, folio-di-support 1.7.0

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODDATAIMP-732 Spring 5.2.22 fixing spring-beans Spring4Shell CVE-2022-22965

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODDICONV-260 spring-beans 5.3.20, Vert.x 4.3.3 fixing vulns

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODDICONV-279 Spring 5.2.22 fixing vulnerabilities (Spring4Shell, etc.) MG

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODEXPW-94 Spring4Shell Morning Glory R2 2022 (CVE-2022-22965)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODEXPW-95 Spring4Shell Lotus R1 2022 (CVE-2022-22965)

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODLOGSAML-135 Spring4Shell: Update Spring fixing RCE Vulnerability (CVE-2022-22965)

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODPATBLK-152 spring-beans and scala-library vulns (CVE-2022-22965, CVE-2022-36944) MG

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODPUBSUB-233 folio-di-support 1.5.1, spring-beans 5.3.19 (CVE-2022-22965)

            • TBD - To be determined
            • Closed

            Task - A task that needs to be done. MODPUBSUB-234 Release 2.5.1 for Lotus HF#1 fixing Spring4Shell

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODPWD-93 Lotus: Spring4Shell (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODSOURMAN-889 folio-di-support 1.6.0 fixing Spring4Shell CVE-2022-22965

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODSOURMAN-923 Spring 5.2.22 fixing Spring4Shell CVE-2022-22965 (MG)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            relates to

            Task - A task that needs to be done. CIRCSTORE-373 Release mod-circulation-storage 14.1.1 fixing Spring4Shell

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. CIRCSTORE-383 Spring 5.2.22 (Spring4Shell RCE), scala-library 2.13.10 (RCE) - Nolana

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            mentioned in

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Page Loading...

            Activity

              People

                Unassigned Unassigned
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases