All vulnerability reports

Spring Core Remote Code Execution via Data Binding on JDK 9+

Severity:
Critical (Base score 9.8) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Overview

A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. Vaadin applications are not affected by default, but the nature of the vulnerability is more general, and there may be other ways to exploit it.

Description

A remote code execution (RCE) vulnerability was discovered in the Spring framework, affecting at least Spring versions 4.x and 5.x.

A Vaadin Flow application is by default not using the vulnerable Spring MVC or Spring WebFlux features but we still strongly recommend upgrading to a non-vulnerable version of Spring.

All Hilla applications always use Spring MVC and should be upgraded.

The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

If you are unable to upgrade to a non-vulnerable version of Spring Boot, you should apply the workaround described in https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#vulnerability

Affected products and mitigation

The following products are not vulnerable by default but can be exploited if Spring MVC or Spring WebFlux features are used in the application:

Product version Mitigation
Vaadin 7 Apply the workaround described in the Spring blog post. The Vaadin Spring integration is based on Spring 4.x has not received the security fix as it is end-of-life. (Vaadin 7 extended maintenance)
Vaadin 8 If you can, upgrade to Spring Boot 2.6.6 and. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post. (Vaadin 8 extended maintenance)
Vaadin 10 If you can, upgrade to Spring Boot 2.6.6. If you are unable to upgrade to Spring Boot 2.6.6, apply the workaround described in the Spring blog post
Vaadin 14 Upgrade to Spring Boot 2.5.12 or Spring Boot 2.6.6. 
Vaadin 22 Upgrade to Spring Boot 2.6.6
Vaadin 23 Upgrade to Spring Boot 2.6.6
  • Affected Hilla projects and mitigation


    Hilla-based applications include the Spring dependency and are affected by the vulnerability.

    Product version Mitigation
    Hilla 1.0.0 - 1.0.3 Upgrade to Spring Boot 2.6.6

How to check if you are vulnerable? 

You can check if your Vaadin and Vaadin Flow project for the vulnerable dependency e.g. with Maven:

% mvn dependency:tree | grep spring-beans
[INFO] | | | \- org.springframework:spring-beans:jar:5.3.16:compile

If the version is 5.3.18 or newer or 5.2.20 then you are safe. Otherwise you need to update your project.

  • Fix by using one of the following versions:
    Update to Spring Framework 5.3.18 and 5.2.20, which contain the fixes
    Update to Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18
  • Verify that the version with the fix is in place by re-running the dependency check:
  • % mvn dependency:tree | grep spring-beans
    [INFO] | | | \- org.springframework:spring-beans:jar:5.3.18:compile
    Remember to rebuild and redeploy your project.
  • References

History

  • 2022-04-01: Initial vulnerability report published