close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Two RCE Vulnerabilities Found in Spring Framework

                                      Apr 06 2022

                                      Summary

                                      At the end of March 2022, two critical vulnerabilities (CVE-2022-22963 and CVE-2022-22965) were discovered in different components of VMware Spring. Spring is a popular framework focused on facilitating the development of Java applications, including cloud-based apps, eliminating the need for additional code or concerns related to server requirements. 

                                      According to VMware, both vulnerabilities may be exploitable through crafted HTTP requests that can result in remote code execution (RCE), both having the same critical CVSS score of 9.8 out of 10. Given the popularity of Spring, these security issues represent a serious threat to vulnerable web applications. 

                                      These bugs have already been fixed by Spring, but exploits for both vulnerabilities can be found in the wild, which makes these bugs more critical as one could simply leverage the PoC code to exploit vulnerable systems with minimal effort.

                                      CVE-2022-22963

                                      According to the report published by VMware on March 29, 2022, this vulnerability affects Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions.

                                      To exploit this vulnerability, an attacker may send an HTTP request with a crafted SpEL (Spring Expression Language) string as a routing-expression, which may result in remote code execution.

                                      Screenshot showing how an attacker could exploit CVE-2022-22963

                                      To mitigate this issue, users running affected versions of Spring Cloud Function should upgrade to 3.1.7 or 3.2.3.

                                      CVE-2022-22965

                                      The second vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older unsupported versions. This bug is also being publicly called as Spring4Shell.

                                      There are a few prerequisites for the exploit:

                                      • JDK 9+
                                      • Apache Tomcat as the Servlet container
                                      • Packaged as WAR
                                      • spring-webmvc or spring-webflux dependency

                                      An attacker may exploit this vulnerability by sending a crafted HTTP request that manipulates a property in Tomcat’s pipeline allowing one to drop a web shell, hence providing further access to the machine.

                                      Screenshot showing how an attacker may exploit CVE-2022-22965

                                      A detailed analysis of this exploit was released by Microsoft. To mitigate this issue, users running affected Spring Framework versions should upgrade to 5.2.20+ or 5.3.18+.

                                      Mitigation

                                      Update / Patch

                                      We strongly recommend anyone using the affected products mentioned in this post to update to the latest version. Furthermore, Spring has also released a few workarounds for CVE-2022-22965 such as upgrading Tomcat or downgrading to Java 8, which can be followed when the update is not feasible.

                                      Netskope Private Access

                                      If you are running internal applications that cannot be immediately patched, you can mitigate the risk of exploitation by limiting access to the app. A private access solution, such as Netskope Private Access, can be used to make private apps invisible to external attackers who seek to exploit vulnerable services. Furthermore, a private access solution can restrict access to a private app internally, such that only authorized users are able to access the app, reducing the risk that a compromised user or device could be used to exploit vulnerable services.

                                      author image
                                      Gustavo Palazolo
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog