4Securitas architects and engineering teams investigated the vulnerabilities CVE-2022-22965 (also referenced by other vendors as Spring4Shell / SpringShell) and CVE-2022-22963 and potential exploits.
After monitoring our infrastructure and products, we can say that ACSIA and all 4Securitas products are not affected by such vulnerabilities.
We will observe and watch over our clients for exposure and possible attacks as more information becomes available.
What is Spring4Shell?
Spring4Shell is a critical vulnerability in Spring Core, a popular Java-based application framework that allows software developers to quickly and easily write and test code to maintain and develop applications with enterprise-level features. Since most developers widely use it for their main Java applications, many apps are potentially affected.
The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system remotely. The attacker can access all website internal data and connected database; it may also be granted access to additional internal resources and gain more permissions.
CVE-2022-22965: Impact, Dangers and Mitigation
CVE-2022-22965 is a confirmed RCE vulnerability in Spring Core versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. This vulnerability, currently discussed publicly as Spring4Shell or SpringShell, appears to be a bypass of protections set up for CVE-2010-1622.
It affects Spring MVC or Spring WebFlux applications and products running on Tomcat as WAR deployment (Web Application Archive) and using JDK 9+. Applications in .jar format do not appear to be affected by the issues.
CVE-2022-22963: Impact, Dangers and Mitigation
CVE-2022-22963 is a second confirmed RCE vulnerability in Spring. However, rather than Spring Core, this affects Spring Cloud Function, which is not in the default Spring Framework. In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, a user can provide a specially crafted SpEL as a routing expression that may result in remote code execution and access to local resources.
This vulnerability is comparatively easier to exploit (subject to specific variables) and can be done via standard tools like curl and Burp. Users of affected versions should upgrade to 3.1.7 and 3.2.3. No other steps are necessary.
4Securitas uses JDK 1.8 and doesn't deploy as a WAR file, so we can confirm that our products are not vulnerable to the exploit and are not affected by CVE-2022-22965.
Additionally, no 4Securitas product is currently affected by the CVE-2022-22963 instance since we don't use spring-cloud-function.
Despite having assessed the safety of our product, we will keep monitoring and gathering information about new vulnerabilities and provide updates on the matter.