Spring Framework Security Advisory #202203
The purpose of this advisory is to inform our customers that, based on current information, ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are NOT vulnerable to the Spring Framework vulnerabilities: Data Binding Rules CVE-2022-22968, RCE (Remote Code Execution) CVE-2022-22965 (Spring4shell), RCE CVE-2022-22963 and DoS (Denial of Service) CVE-2022-22950.
2 readers recommend this article
April 1, 2022
A number of vulnerabilities have recently been discovered that impact multiple versions of the Spring Framework:
| Vulnerability | Severity Rating | Affected Versions | Fixed Version |
|---|---|---|---|
| CVE-2022-22968 | Low | Spring Framework 5.3.0 to 5.3.18, 5.2.0 to 5.2.20 and older, unsupported versions | 5.3.19, 5.2.21 |
| CVE-2022-22965 | High | Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older, unsupported versions | 5.3.18, 5.2.20 |
| CVE-2022-22963 | Critical | Spring Cloud Function 3.1.6, 3.2.2 and older unsupported versions | 3.1.7, 3.2.3 |
| CVE-2022-22950 | Medium | Spring Framework 5.3.0 to 5.3.16, and older unsupported versions | 5.3.17 |
Customers should check the CVEs for the latest vulnerable versions.
Note
Based on current information, ForgeRock Software is not vulnerable. We will monitor the situation and update the advisory as more information becomes available.
CVE-2022-22968
In certain Spring Framework versions, the patterns for disallowedFields on a DataBinder are case sensitive, which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
No ForgeRock products are affected by this vulnerability.
CVE-2022-22965 (Spring4shell)
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
No ForgeRock products are affected by this vulnerability.
CVE-2022-22963
In certain versions of Spring Cloud Function, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
No ForgeRock products are affected by this vulnerability.
CVE-2022-22950
In certain Spring Framework versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
No ForgeRock products are affected by this vulnerability.
See Also
Spring Framework RCE, Early Announcement
CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22950: Spring Expression DoS Vulnerability
Change Log
The following table tracks changes to the advisory:
| Date | Description |
|---|---|
| Aug 18, 2022 | No changes to content - just a cosmetic change |
| April 20, 2022 | Updated CVE-2022-22968 link to NVD |
| April 14, 2022 | Added CVE-2022-22968 |
| April 6, 2022 | Removed the “Does not apply to Identity Cloud” label to avoid confusion |
| April 4, 2022 | Updated CVE links to NVD |
| April 1, 2022 | Initial release |