Springshell Vulnerability Update

Hi Sonatype Community,

Early Wednesday morning (GMT), allegations began to appear on the Internet about a new remote code execution flaw that affects Spring Framework. This vulnerability, dubbed by some as “Springshell” in the community, is a new, previously unknown security vulnerability.

The vulnerability affects the spring-beans and spring artifacts, an extremely popular framework used widely in Java applications, and seems to require JDK9 or newer to be running. It is a bypass for an older CVE, CVE-2010-1622 that due to a feature in JDK9 or newer seems to have been reinstated.

The vulnerability was confirmed on Wednesday and It has been added to Sonatype data as SONATYPE-2022-1764 and given the designation CVE-2022-22965. Spring has acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue. We recommend an immediate upgrade for all users.

Customers who have scanned their applications with Nexus Lifecycle will receive automatic security alerts as a part of their usual continuous monitoring. If you have Continuous Monitoring turned on, you are protected.

UPDATE: Sonatype solutions are not affected by the Spring4shell vulnerability.

Unsure if your organization is impacted? See our Find & Fix Springshell guide for help as you investigate your applications and environments for this vulnerability.

For continuing updates and additional information, please visit this Sonatype blog post.


If you have any additional questions, we are happy to answer them in the thread below.

3 Likes

The vulnerability is not detected by ossindex-maven

Hi @zied.ellouze and welcome to the Community! Thanks for bringing this to our attention. The CVE is currently awaiting analysis at NIST so it does not have the key information required by OSSIndex (such as the impacted components). Our team will need to hand-jam that data to get it in faster this time. Soon, we’ll be changing research pipelines where this sort of thing will be resolved much faster in the future.

Hi Maura,

Just using the eclipse plugin to solve this issue I updated our spring-framework version to the latest 5.3.19 instead of suggested by IQ Sonatype 5.2.3, but issue still appears in red and even when I ran the war as ad-hoc it still gives me that is something wrong, but suggested libraries are already part of the proyect because I updated those libraries as well:

  • org.springframework.data : spring-data-rest-webmvc : 3.6.4
  • org.springframework.security : spring-security-taglibs : 5.6.3

image

Can you please let me know if this is a bug or what is the problem with using latest version of libraries suggested on CVE-2022-22965 | Security | VMware Tanzu,

Thanks
Silvia

Hi @silviatejera and welcome!

I did chat with our team about this. From the screenshot you’ve posted, it’s showing that spring-web is at 5.3.19, but still has a vulnerability. This is actually true. While org.springframework:spring-web:5.3.19 is not vulnerable to CVE-2022-22965, it is vulnerable to CVE-2016-1000027, hence why you are still seeing the red square (i.e. still showing a policy violation).

Hope this helps a bit.

That was helpful indeed; I have to get better at drilling down into your reports, thanks.

BTW, your messages say “log in to reply or reply to this email.” Email replies are VASTLY to be preferred - I have more passwords than I could possibly imagine - but the return email address you use is no reply.

PLEASE have your web wizards fix it to I can reply, and they put it in the chat so i don’t have to log in.

Glad it was helpful, William! We will take a look at the reply by email functionality and get it working again. Thanks for letting us know about that & stay tuned!

Hi Maura,
Thanks for your answer, but sorry, it doesn’t really help as that is the latest version published for version 5.3.x and as I said when you go deeper on the IQ tool to find out what is the issue, suggested libraries by the tool are already part of the project.
Cannot understand why latest version have issues but not 5.2.3, which is lower.
Should we use a lower version instead of the newest?

Thanks
Silvia

@silviatejera There are times when a lower version has no known vulnerabilities, but all newer versions have a vulnerability. This is an example of that. Let’s say that a component had no known vulnerabilities at all and then a new vulnerability came out affecting the latest version, and let’s say the latest version is 4.2. The 3.x versions are not vulnerable as the vulnerable code got introduced in version 4.0. In this case, you would probably want to stay on the lower 3.x versions until a fix came out for the vulnerability affecting the 4.x versions.

Thanks Maura Harwood,

I’ll do that, probably I still have to learn how to learn how to read recommendations, as recommended version after changing to 5.3.19 for this was not springframewok 5.2.3, instead it was telling me about

  • org.springframework.data : spring-data-rest-webmvc : 3.6.4
  • org.springframework.security : spring-security-taglibs : 5.6.3

Thanks again
Silvia

1 Like

Hi,
Normally version 5.3.19 is not vulnerable
https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.19