CV_2022_04

This advisory is archived

Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.

Advisory ID: CV_2022_04_1
Title: Remote Code Execution Vulnerability in the Spring Framework
Severity: HIGH
Issued: 2022-04-01
Updated: 2022-04-01
CVSS Score Range: 7.0-8.9
Additional Links:
- CVE-2022-22963
- CVE-2022-22965

Impacted Products

This vulnerability does not affect Commvault products.

Resolution

As stated in the Spring.io blog, if the application is deployed as a Spring Boot executable jar, which is the default jar, it is not vulnerable to the exploit. Commvault internally uses the Message Queue application, which includes the default Spring Boot executable jar that is not vulnerable to the exploit.

As a precaution, we have upgraded the Message Queue application, Oracle and Microsoft SQL agents to the version recommended by Spring.io.

Download and install the following maintenance releases for your Feature Release on the affected client computers. For more information about installing maintenance releases, see Installing Commvault Software Updates on Demand.

Feature Release	Maintenance Release
11.26	11.26.23
11.25	11.25.32
11.24	11.24.48
11.23	11.23.47
11.20	11.20.90
SP16	SP16.153

CVE Details

Info	Description
CVE ID: CVE-2022-22963 CWE Name: Remote code execution in Spring Cloud Function by malicious Spring Expression CVSS Score: 9.8 External link	In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVE ID: CVE-2022-22965 CWE Name: Spring Framework RCE via Data Binding on JDK 9+ CVSS Score: 9.8 External link	A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Info

Description

CVE ID: CVE-2022-22963
CWE Name: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVSS Score: 9.8
External link

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

CVE ID: CVE-2022-22965
CWE Name: Spring Framework RCE via Data Binding on JDK 9+
CVSS Score: 9.8
External link

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Documentation

https://documentation.commvault.com

< Back

Security Advisories

CV_2022_04_1: Remote Code Execution Vulnerability in the Spring Framework HIGH

This advisory is archived

Impacted Products

Resolution

CVE Details

Documentation