The Spring Framework (Spring) is an open-source application framework that allows for infrastructure support for Java applications. Of the more popular Java Enterprise Edition (Java EE) frameworks, Spring helps developers build performant applications utilizing Java objects. On the morning of Tuesday, March 29th, 2022, a research member of KnownSec displayed an example of Remote Code Execution (RCE) against the Spring framework, but the original post was removed thereafter. Since then, industry researchers have closely examined these unconfirmed claims.
Researchers at LunaSec have postulated that that the vulnerable code lies within Spring’s “CacheResultInterceptor” class, which requires that a vulnerable method be marked with the “@-CacheResult” annotation. They went on to say that “‘The vulnerable code’ in Spring is creating a ‘deep clone’ of an object by serializing and then deserializing it. In Java, any attempts to deserialize an object can result in RCE if an attacker is able to control the data being passed.” The vulnerability exists in the Spring core with the JDK version >= to 9.0. LunaSec has provided an example vulnerable application using Spring Boot, calling for the information security community to share Proof of Concept (POC) exploits against their vulnerable application to better understand the potential impact.
Because the vulnerability is so recently discovered, no CVE has been assigned. Investigators of the vulnerability have been quick to liken this vulnerability to the recent Log4Shell vulnerability, a vulnerability with wide impact in relation to Apache Jog4j2.
However, a vulnerability in Spring Cloud (SPEL) has been confirmed, with the Spring team publishing a CVE for the vulnerability in this portion of their product, CVE-2022-22963: Spring Expression Resource Access Vulnerability. The Spring team has released Spring Cloud Function 3.1.7 & 3.2.3 to patch the Spring Expression Resource Access Vulnerability. It is advised to apply this patch as soon as possible if using Spring Cloud.