Is Mend Vulnerable to the "Spring4Shell" Vulnerability, CVE-2022-22965?
On March 31st, 2022, a new, critical Spring framework vulnerability was disclosed. This vulnerability was published as CVE-2022-22965, categorized as Critical, and with a CVSS score of 9.8.
In accordance with our application security program, Mend security experts and the engineering team identified and remediated all occurrences of this vulnerability. See the table below for more details. As another step of precaution, Mend uses a Web Application Firewall in our cloud environment.
The Mend application is up to date with the CVE details, and we encourage our customers to scan their code with Mend to identify whether their code is impacted by this vulnerability.
What is CVE-2022-22965?
According to Spring’s official announcement here, the current description of CVE-2022-22965 is as follows:
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the requirements for the specific scenario from the report:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted
-spring-webmvcorspring-webfluxdependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
What components are vulnerable to CVE-2022-22965?
The
spring-beanspackage; versions prior to v5.3.18 and v5.2.20
What is Mend’s recommended action to fix CVE-2022-22965 for my own products?
Please see the steps below on our recommendations to approach this vulnerability:
Run an organization wide inventory report. If you require a multiple organization report or have over 1000 products, we recommend using the Mend Bulk Report Generator tool to streamline report generation. We have also created our free Spring4Shell Detect tool, which quickly scans your projects to find the vulnerable Spring4shell versions
Search the inventory report for libraries with instances of the referenced vulnerability to identify impacted applications
Contact relevant teams and alert them to the urgency upgrade to the fix
Here are the different relevant fixes:· Users of affected versions should apply the necessary mitigations &/or remediation:
Mitigation Recommendations: Spring4Shell Zero-Day Vulnerability: Information and Remediation for CVE-2022-22965
Remediation Recommendations: Mend Vulnerability Database
An alternative method is to use either the standalone Renovate application or the Renovate feature that is included within the Mend SCA. In both cases, the tool will identify the vulnerable packages associated with CVE-2022-22965 and will recommend a pull request with the latest version of the top-level affected package. Adding the linked renovate configuration will include transitive dependencies.
Further updates on the vulnerability will be on our blog, Spring4Shell Zero-Day Vulnerability: Information and Remediation for CVE-2022-22965. Please contact our Customer Support Team with questions and further support.
Please Note: If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector. However, applying the workarounds described above is still a good step to prevent any other possible attack vectors.
Are Mend offerings vulnerable to CVE-2022-22965?
Mend Product | Vulnerable to CVE-2022-22965? |
|---|---|
Unified Agent | No |
K8S Agent | No |
Essentials | No |
Mend Core (UI and Dedicated Instances) | No |
Artifactory Plugin | |
Bolt 4 Azure Server | No |
AMP Server | No |
Jenkins Plugin | No |
Renovate | No |
Jira Cloud Plugin | No |
Jira Server Plugin | Hotfix 22.3.1.1 has been released. Please update to this latest version via your Manage Apps page or install via the Atlassian Marketplace |
WS CLI | No |
Mend Diffend | No |
IDE Plugins (Advise) | No |
Developer Integrations (SCM integrations) (Hosted & Self-Hosted) | No |
On-Premise (Dockerized and non-Dockerized) | No |
ThunderScan (SAST) | No |
WebStrike (DAST) | No |
Cure | No |
Frequently Asked Questions
Q: Do I need to rescan my projects to detect this vulnerability?
A: No, Mend keeps a current list of vulnerabilities in our index and alerts are automatically applied to a vulnerability once the index is updated.
Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?
A: If you have policies set up on your organization, Mend will automatically notify you in the case that you are affected by this vulnerability. To set up a policy within your organization, please review our Policies documentation. If you do not wish to set this up, you can utilize the Security Alerts reports for the CVE.
Q: How can I tell if this vulnerability is in one of my transitive dependencies?
A: Our Inventory report, Security Alerts reports, and the Library Details page all provide documentation for analyzing the necessary information to help you determine your next steps in mitigating this vulnerability. To retrieve the reports mentioned, navigate to the corresponding page in your Mend UI, or use our Reports API.
Related Documentation
Mend Blog: Spring4Shell Zero-Day Vulnerability: Information and Remediation for CVE-2022-22965
Mend Vulnerability Database: CVE-2022-22965
Mend Free Tool: Spring4Shell Detect Tool
Mend Article: How to Force a Resource Vulnerability Index Sync for On-Premise Environments
NVD: CVE-2022-22965
Spring Announcement: Spring Framework RCE, Early Announcement
VMware Announcement: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+