⚠ Actively exploited
Added to CISA KEV on 2022-04-04. Federal agencies required to patch by 2022-04-25. Required action: Apply updates per vendor instructions..

CVE-2022-22965

CWE-94Code InjectionCWE-120Classic Buffer OverflowCWE-7452 documents23 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.02%
CISA KEV
KEV
Added 2022-04-04
Due 2022-04-25
Exploit
Exploited in wild
Active exploitation observed
Affected products
38
Cisco CX Cloud AgentOracle Mysql Enterprise MonitorSiemens Operation Scheduler+35 more
Timeline
PublishedApr 1
KEV addedApr 4
KEV dueApr 25
Latest updateDec 17
CISA Required Action: Apply updates per vendor instructions.

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages44 packages

Mavenorg.springframework:spring-webflux5.3.05.3.18+1
NVDvmware/spring_framework5.3.05.3.18+1
Mavenorg.springframework:spring-beans5.3.05.3.18+1

Patches

Patch: cert-portal.siemens.comPatch: www.oracle.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

5
CVEList
CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding2022-04-01
OSV
CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding2022-04-01
GHSA
Remote Code Execution in Spring Framework2022-03-31
OSV
Remote Code Execution in Spring Framework2022-03-31
VulnCheck
Spring Framework JDK 9+ Remote Code Execution Vulnerability2022

💥Exploits & PoCs

2
Nuclei
Spring - Remote Code Execution
Nuclei
Spring Framework RCE via Data Binding on JDK 9+

🔍Detection Rules

6
Suricata
ET EXPLOIT SpringShell/Spring4Shell RCE Attempt (CVE-2022-22965)2023-11-10
Suricata
ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)2022-03-31
Suricata
ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)2022-03-31
Suricata
ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)2022-03-31
Suricata
ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)2022-03-31

📋Vendor Advisories

10
Ubuntu
Spring Framework vulnerability2024-12-17
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Spring Framework) — CVE-2022-229652023-04-15
Oracle
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Spring Framework) — CVE-2022-229652023-01-15
Oracle
Oracle Oracle Commerce Risk Matrix: Endeca Integration (Spring Framework) — CVE-2022-229652022-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Automation Test Suite (Spring Framework) — CVE-2022-229652022-04-15

🕵️Threat Intelligence

25
Elastic
Elastic's response to the Spring4Shell vulnerability (CVE-2022-22965) — Elastic Security Labs2022-11-22
Elastic
Elastic's response to the Spring4Shell vulnerability (CVE-2022-22965) — Elastic Security Labs2022-11-22
Trendmicro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners2022-04-20
Trendmicro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners2022-04-20
Trendmicro
Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners2022-04-20