Two remote code execution vulnerabilities were discovered in the Spring platform – a well-known application framework utilized by software creators for quickly creating Java apps. Proof-of-concept exploits for the two vulnerabilities can be found in the public domain and attackers are actively exploiting one of the two vulnerabilities.
CVE-2022-22963 – This vulnerability impacts Spring Cloud Function versions 3.1.6, 3.2.2, as well as older unsupported versions. It can be exploited remotely with the default settings while running a Spring Boot application that relies on Spring Cloud Function, for example when relying on packages like spring-cloud-starter-function-web, and spring-cloud-function-web.
Based on VMWare, the owner of Spring, if utilizing routing features, a user can present a particularly created SpEL as a routing expression, which is going to permit remote code execution and gain access to local sources. The vulnerability was at first given a CVSS severity rating of 5.4, however, was eventually moved to critical. There are proof-of-concept exploits accessible for the vulnerability in the public domain.
VNWare has addressed the vulnerability identified in Spring Cloud Function versions 3.1.7 and 3.2.3. It is recommended to upgrade to a safe version immediately to avoid exploitation.
There is a proof of concept exploit released to the public for one more zero-day vulnerability, called Spring4Shell, that impacts the Spring Core Java framework. This vulnerability lets unauthenticated persons remotely implement code on programs.
CVE-2022-22965 – This vulnerability is a result of unsafe deserialization of approved arguments and impacts Spring WebFlux and Spring MVC apps on JDK 9 or higher versions. There’s an exploit for the vulnerability accessible in the public domain, however, it won’t work if an app is deployed as the default Spring Boot executable jar. The exploit is going to work only if run on the Tomcat program as a WAR deployment having a spring-webmvc or “spring-webflux” dependency; nonetheless, other means to exploit the vulnerability may be available.
The vulnerability is not as critical like the Log4J/Log4Shell vulnerability, however, Spring is well-known and commonly used for developing applications.
The following versions are no longer affected by this vulnerability:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.6.6
- Spring Boot 2.5.12
Alerts Issued about Attacks on Uninterruptible Power Supply Devices
The Department of Energy (DoE) and the Cybersecurity and Infrastructure Security Agency (CISA) have released an alert that cyber threat actors are taking advantage of vulnerabilities affecting web-connected uninterruptible power supply (UPS) devices to acquire access to networks.
UPS devices are regularly connected to networks for power checking, servicing, and convenience, and are employed to give clean and emergency power to IT devices and programs. A lot of UPS sellers have included IoT capabilities to the UPS devices to be able to access them using the Internet.
CISA and the DoE know about threat actors utilizing these products to acquire access to networks, most frequently by utilizing default usernames and passwords to gain access to the gadgets.
All end-users of these UPS devices were instructed to promptly enumerate their UPSs and related systems and make sure they cannot be accessed through the Net, or when Internet access is necessary, to make sure the device or system is protected by a virtual private network. Default credentials ought to be altered, long passwords or security phrases employed to protect the devices, and multifactor authentication ought to be employed.