Two vulnerabilities affecting different Spring projects were identified this week. Here’s what you need to know about Spring4Shell and CVE-2022-22963.
The Internet is buzzing with talk about two separate vulnerabilities related to different Spring projects. The two are not related, but have been confused because both vulnerabilities were disclosed at nearly the same time.
The first is CVE-2022-22963, tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0850. This is a remote code execution vulnerability in Spring Cloud Function. Issued with a medium severity and upgraded to critical by vendor VMWare (https://tanzu.vmware.com/security/cve-2022-22963), researchers have since found that achieving remote code execution is possible. An upgrade patch already exists, so affected users are urged to upgrade as soon as possible.
The second vulnerability is CVE-2022-22965 (https://tanzu.vmware.com/security/cve-2022-22965), which is BDSA-2022-0858 in the Black Duck Knowledgebase. This is the vulnerability many security researchers have been calling Spring4Shell. Under certain circumstances, it allows an attacker to run arbitrary code, but the ease of exploitation varies with how the code running on Spring Framework is written, and how Spring Framework is run. Fixed versions of Spring Framework (and the related Spring Boot) are available. Affected users should upgrade expeditiously. Read Spring’s announcement for more information.
Regardless of how Spring4Shell evolves, these vulnerabilities highlight the importance of knowing what open source components you are using and keeping on top of vulnerabilities as they are disclosed.
A software composition analysis (SCA) solution like Black Duck does exactly this. It can build a software Bill of Materials (SBOM) for an application and proactively notify you when new vulnerabilities are disclosed in components you have used.
Synopsys Code Sight is an IDE plugin that can provide quick, actionable SCA results for developers in the environment where they work. Click here for a demo video.
This post was originally published March 30, 2022, and refreshed April 6, 2022.
Jonathan Knudsen likes to break things. He has tested all kinds of software, from network infrastructure and medical devices to cryptocurrency nodes. Jonathan has worked as a developer, consultant, and author. He has published books about 2D graphics, cryptography, and Lego robots, and has written more than one hundred articles on a wide range of technical subjects.