Security Advisory Detail

Go to 

Java Spring Framework RCE aka Spring4Shell (CVE-2022-22965)

Advisory ID
WGSA-2022-00010
CVE
CVE-2022-22965
Impact
Critical
Status
Resolved
Product Family
WatchGuard Cloud, Other Software
Published Date
Updated Date
Workaround Available
True
CVSS Score
9.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary

On 30 March 2022, details were leaked of a Spring Framework RCE that impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The team at Spring released a blog post that documented the vulnerability. The exploit is commonly referenced as Spring4Shell.

Spring listed several conditions necessary to execute the exploit:

  • JDK 9 or higher
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • Tomcat must run on the application as a WAR deployment
    • Deployed as a standalone Tomcat instance
  • spring-webmvc or spring-webflux dependency

The conditions listed are only documented known vectors of exploitation and are not limited to that list.

WatchGuard is currently reviewing all its products and services and so far, has determined that several of the services meet one but not all of the Spring Framework vulnerability requirements. We have yet to confirm exploitation against our products because they do not meet the necessary conditions.

Affected

AuthPoint

The exploit requires an application to run on Tomcat Servlet Container as a WAR deployment. No services in AuthPoint are deployed in this way. Attempts by WatchGuard to exploit the vulnerability have not succeeded, but we plan to upgrade all AuthPoint services that use Spring Framework out of an abundance of caution.

TDR

In TDR v6.0.4.11993, we upgraded the Spring .jar version used by TDR and AD Helper out of an abundance of caution. Exploitation is not considered possible, even with the previous TDR and AD Helper versions.

WatchGuard System Manager

WatchGuard System Manager uses Java but does not use the Spring Framework.

Workaround

The Firebox Intrusion Prevention Service (IPS) has signatures that detect and block these attacks:

  • 1230875 WEB Spring Cloud SpEL RCE (CVE-2022-22963)
  • 1230879 WEB Spring Core RCE -1
  • 1230887 WEB Spring Core RCE -2
  • 1230880 WEB VMware Spring Expression DoS Vulnerability (CVE-2022-22950)
  • 1230888 WEB Spring Core RCE -3

Update the IPS signatures on your Firebox to signature set v4.1270 and TDTS v18.205.

References
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Advisory Product List
Product Family
Product Branch
Product List
WatchGuard Cloud
WatchGuard Cloud
WatchGuard Cloud
Other Software
TDR Host Sensor
TDR Host Sensor
Advisory List