Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

Spring Framework Security Advisory #202203

Last updated Apr 20, 2022

The purpose of this advisory is to inform our customers that, based on current information, ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are NOT vulnerable to the Spring Framework vulnerabilities: Data Binding Rules CVE-2022-22968, RCE (Remote Code Execution) CVE-2022-22965 (Spring4shell), RCE CVE-2022-22963 and DoS (Denial of Service) CVE-2022-22950.


2 readers recommend this article

April 1, 2022

A number of vulnerabilities have recently been discovered that impact multiple versions of the Spring Framework: 

Vulnerability Severity Rating Affected Versions Fixed Version
CVE-2022-22968 Low Spring Framework 5.3.0 to 5.3.18, 5.2.0 to 5.2.20 and older, unsupported versions 5.3.19, 5.2.21
CVE-2022-22965 High Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older, unsupported versions 5.3.18, 5.2.20
CVE-2022-22963 Critical Spring Cloud Function 3.1.6, 3.2.2 and older unsupported versions 3.1.7, 3.2.3
CVE-2022-22950 Medium Spring Framework 5.3.0 to 5.3.16, and older unsupported versions 5.3.17

Customers should check the CVEs for the latest vulnerable versions.

Note

Based on current information, ForgeRock Software is not vulnerable. We will monitor the situation and update the advisory as more information becomes available. 

CVE-2022-22968

In certain Spring Framework versions, the patterns for disallowedFields on a DataBinder are case sensitive, which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

No ForgeRock products are affected by this vulnerability.

CVE-2022-22965 (Spring4shell)

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

No ForgeRock products are affected by this vulnerability.

CVE-2022-22963

In certain versions of Spring Cloud Function, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

No ForgeRock products are affected by this vulnerability.

CVE-2022-22950

In certain Spring Framework versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

No ForgeRock products are affected by this vulnerability.

See Also

Spring Framework RCE, Early Announcement

CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

CVE-2022-22950: Spring Expression DoS Vulnerability

Change Log

The following table tracks changes to the advisory:

Date  Description
April 20, 2022 Updated CVE-2022-22968 link to NVD
April 14, 2022 Added CVE-2022-22968
April 6, 2022 Removed the “Does not apply to Identity Cloud” label to avoid confusion
April 4, 2022 Updated CVE links to NVD
April 1, 2022 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.