Spring Remote Code Execution Vulnerability
Release Date: 1 Apr 2022
RISK: High Risk
TYPE: Security software and application - Security Software & Appliance
A vulnerability has been identified in Spring. A remote attacker can exploit this vulnerability to trigger remote code execution on the targeted system.
PoC exploit exists for application running
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR
- spring-webmvc or spring-webflux dependency
Impact
- Remote Code Execution
System / Technologies affected
- Spring Boot version prior to 2.6.6
- Spring Boot version prior to 2.5.12
- Spring Framework version prior to 5.3.18
- Spring Framework version prior to 5.2.20
Solutions
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
沒有留言:
發佈留言