Vulnerability Details : CVE-2022-22965
Public exploit exists!
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Vulnerability category: Execute code
Products affected by CVE-2022-22965
- cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_platform:11.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:21.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_policy_management:12.6.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 1.10.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
- Oracle » Communications Cloud Native Core Network Function Cloud Native Environment » Version: 22.1.0cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinec_network_management_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:operation_scheduler:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_speech_assistant_for_machines:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release1:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release2:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.0.0.1:maintenance_release3:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.1.0.1:maintenance_release1:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.1.0.1:maintenance_release2:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.0:*:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_appliance:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:access_appliance:7.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:access_appliance:7.4.3.100:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:access_appliance:7.4.3.200:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:flex_appliance:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:flex_appliance:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:flex_appliance:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:flex_appliance:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:flex_appliance:2.1:*:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release1:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release2:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0.0.1:maintenance_release3:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1.0.1:maintenance_release1:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1.0.1:maintenance_release2:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.0:*:*:*:*:*:*:*
- cpe:2.3:h:veritas:netbackup_virtual_appliance:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:netbackup_flex_scale_appliance:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:veritas:netbackup_flex_scale_appliance:3.0:*:*:*:*:*:*:*
CVE-2022-22965 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Spring Framework JDK 9+ Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Added on
2022-04-04
Action due date
2022-04-25
Exploit prediction scoring system (EPSS) score for CVE-2022-22965
97.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-22965
-
Spring Framework Class property RCE (Spring4Shell)
Disclosure Date: 2022-03-31First seen: 2022-12-23exploit/multi/http/spring_framework_rce_spring4shellSpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data bindi
CVSS scores for CVE-2022-22965
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-22965
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by:
- nvd@nist.gov (Primary)
- security@vmware.com (Secondary)
References for CVE-2022-22965
-
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
Spring4Shell Spring Framework Class Property Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Third Party Advisory
-
https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
Patch;Third Party Advisory
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
Vulnerability in Spring Framework Affecting Cisco Products: March 2022Third Party Advisory
-
https://tanzu.vmware.com/security/cve-2022-22965
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ | Security | VMware TanzuMitigation;Vendor Advisory
-
http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
Spring4Shell Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
Security AdvisoryThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to