Technical blog

Spring Vulnerability and ARender

Context:

Several critical vulnerabilities have been discovered in the Spring Framework library and its ecosystem leading to Remote Code Execution (RCE). One is in Spring Core and the other is in Spring Cloud Functions.
Spring Core is a framework widely used in Java applications and Java/J2EE application development projects.
Common Vulnerabilities and Exposures (CVE) have been published :

  • CVE-2022-22946 : Spring Cloud Gateway HTTP2 Insecure TrustManager
  • CVE-2022-22947 : Spring Cloud Gateway Code Injection Vulnerability
  • CVE-2022-22963 : Remote code execution in Spring Clound Function by malicious Spring Expression
  • CVE-2022-22965 : Spring Framework RCE via Data Binding on JDK 9+

Which Spring versions are affected ?

CVE-2022-22946:

Spring Cloud Gateway :

  • 3.1.0

Note: Severity is medium unless otherwise noted.

CVE-2022-22947:

Spring Cloud Gateway :

  • 3.1.0
  • 3.0.0 to 3.0.6
  • Older, unsupported versions are also affected

Note: Severity is critical unless otherwise noted.

CVE-2022-22963:

Spring Cloud Function :

  • 3.1.6
  • 3.2.2
  • Older, unsupported versions are also affected

Note: Severity is critical unless otherwise noted.

CVE-2022-22965:

Spring Framework :

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Note : Severity is critical unless otherwise noted.

Is ARender affected by these security vulnerabilities ?

ARender UI (frontend) and ARender Rendition (backend) applications do not use the Spring Cloud Function library, nor the Spring Cloud Gateway library.
They are therefore not vulnerable to the vulnerabilities of the following CVEs :

  • CVE-2022-22946
  • CVE-2022-22947
  • CVE-2022-22963

ARender Rendition is composed of Spring Boot microservices in executable jar and is therefore not vulnerable to CVE-2022-22695.
ARender UI does not use the spring-webflux library but embeds spring-webmvc. ARender also requires a minimum of JDK 8.
Analyzes and tests have been carried out to verify the security of the application. There was no vulnerability detected in the ARender UI component.

Conclusion

ARender is not affected by recent vulnerabilities discovered in the Spring ecosystem. We will, however, remain vigilant on future discoveries related or not to these flaws.