CVE-2022-22965
Publication date 1 April 2022
Last updated 21 August 2024
Ubuntu priority
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libspring-java | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://bugalert.org/content/notices/2022-03-30-spring.html
- https://tanzu.vmware.com/security/cve-2022-22965
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://github.com/spring-projects/spring-framework/issues/28260
- https://www.cve.org/CVERecord?id=CVE-2022-22965
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog