Security Notice: Spring Remote Code Execution CVE-2022-22963 and CVE-2022-22965

SonicWall PSIRT is tracking two critical vulnerabilities impacting the Spring Framework. This advisory is intended to address both CVE-2022-22963 and CVE-2022-22965.

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

SonicWall’s Intrusion Prevention System (IPS) provides protection against Spring4Shell:

  • IPS: 2609 JAVA Spring Framework Command Injection (Spring4Shell)
  • IPS: 13431 JAVA Spring Framework Remote Code Execution (Spring4Shell) 2
  • IPS: 13432 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-1
  • IPS: 13443 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-2
  • IPS: 13444 JAVA Spring Framework Remote Code Execution (Spring4Shell) IOC

Please note that if your web service/server is accessible over HTTPS then enabling server DPI-SSL is necessary for the above signatures to detect exploits targeting this vulnerability.

Learn more: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005