Two remote code execution vulnerabilities have been identified in the Spring platform – a popular application framework that software developers use for rapidly building Java applications. Proof-of-concept exploits for both vulnerabilities are in the public domain and at least one of the vulnerabilities is being actively exploited.
The first vulnerability – CVE-2022-22963 – affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions and is remotely exploitable in the default configuration while running a Spring Boot application that depends on Spring Cloud Function, such as when depending on packages such as spring-cloud-function-web and spring-cloud-starter-function-web.
According to VMWare, which owns Spring, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression, which will allow remote code execution and access to local resources. The vulnerability was initially assigned a CVSS severity score of 5.4, but was later upgraded to critical. Proof-of-concept exploits for the vulnerability are in the public domain.
The vulnerability has been addressed by VNWare in Spring Cloud Function versions 3.1.7 and 3.2.3. Immediate upgrading to a secure version is recommended to prevent exploitation.
A proof of concept exploit has been publicly released for another zero-day vulnerability that affects the Spring Core Java framework. The vulnerability, dubbed Spring4Shell, allows unauthenticated individuals to remotely execute code on applications.
The vulnerability – tracked as CVE-2022-22965 – is due to unsafe deserialization of passed arguments and affects Spring MVC and Spring WebFlux applications on JDK 9 or higher. An exploit for the vulnerability is in the public domain, but will not work if an application is deployed as a Spring Boot executable jar, which is the default. The exploit will only work if the application is run on Tomcat as a WAR deployment with a spring-webmvc or “spring-webflux” dependency; however, there may be other ways to exploit the vulnerability.
The vulnerability is not as serious as the Log4J/Log4Shell vulnerability, but Spring is popular and widely used for building applications.
The vulnerability has been fixed in the following versions:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.5.12
- Spring Boot 2.6.6
CISA Warns of Attacks on Uninterruptible Power Supply Devices
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) have issued a warning that cyber threat actors are exploiting vulnerabilities in Internet-connected uninterruptible power supply (UPS) devices to gain access to networks.
UPS devices are routinely attached to networks for power monitoring, maintenance, and convenience, and are used to provide clean and emergency power to IT equipment and applications. Many UPS vendors have added IoT capabilities to the devices to allow them to be accessed via the Internet.
CISA and the DoE are aware of threat actors using these devices to gain access to networks, most commonly by using unchanged default usernames and passwords to access the devices.
All users of these devices have been advised to immediately enumerate their UPSs and similar systems and ensure they are not accessible via the Internet, or if Internet access is required, to ensure the device or system is behind a virtual private network. Default credentials should be changed, long passwords or passphrases used to secure the devices, and multifactor authentication should be enforced
The post Warnings Issued About Vulnerabilities in the Spring Application Building Platform and UPS Devices appeared first on HIPAA Journal.