Spring Core Remote Code Execution via Data Binding on JDK 9+
Overview
A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. Vaadin applications are not affected by default, but the nature of the vulnerability is more general, and there may be other ways to exploit it.
Description
A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x.
A Vaadin Flow application is by default not using the vulnerable Spring MVC or Spring WebFlux features but we still strongly recommend upgrading to a non-vulnerable version of Spring.
All Hilla applications always use Spring MVC and should be upgraded.
The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
If you are unable to upgrade to a non-vulnerable version of Spring Boot, you should apply the workaround described in https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability
Affected products and mitigation
The following products are not vulnerable by default but can be exploited if Spring MVC or Spring WebFlux features are used in the application:
| Product version | Mitigation |
|---|---|
| Vaadin 7 | Apply the workaround described in the Spring blog post. The Vaadin Spring integration is based on Spring 4.x has not received the security fix as it is end-of-life. (Vaadin 7 extended maintenance) |
| Vaadin 8 | If you can, upgrade to Spring Boot 2.6.6 and. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post. (Vaadin 8 extended maintenance) |
| Vaadin 10 | If you can, upgrade to Spring Boot 2.6.6. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post |
| Vaadin 14 | Upgrade to Spring Boot 2.5.12 or Spring Boot 2.6.6. |
| Vaadin 22 | Upgrade to Spring Boot 2.6.6 |
| Vaadin 23 | Upgrade to Spring Boot 2.6.6 |
-
Affected Hilla projects and mitigation
Hilla-based applications include the Spring dependency and are affected by the vulnerability.Product version Mitigation Hilla 1.0.0 - 1.0.3 Upgrade to Spring Boot 2.6.6
How to check if you are vulnerable?
You can check if your Vaadin and Vaadin Flow project for the vulnerable dependency e.g. with Maven:
% mvn dependency:tree | grep spring-beans
[INFO] | | | \- org.springframework:spring-beans:jar:5.3.16:compile
If the version is 5.3.18 or newer or 5.2.20 then you are safe. Otherwise you need to update your project.
- Fix by using one of the following versions:
Update to Spring Framework 5.3.18 and 5.2.20, which contain the fixes
Update to Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 - Verify that the version with the fix is in place by re-running the dependency check:
-
% mvn dependency:tree | grep spring-beans
Remember to rebuild and redeploy your project.
[INFO] | | | \- org.springframework:spring-beans:jar:5.3.18:compile - References
- Vendor advisory: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- Vendor advisory: https://tanzu.vmware.com/security/cve-2022-22965
History
- 2022-04-01: Initial vulnerability report published