Shulou(Shulou.com)06/01 Report--

This article mainly talks about "analyzing Spring loopholes and how to fix them". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn how to analyze Spring vulnerabilities and fix them.

Loophole analysis

Spring Framework (Framework) is an open source lightweight J2EE application development framework, which provides functions such as IOC, AOP and MVC, solves the common problems encountered by programmers in development, and improves the convenience of application development and the efficiency of software system construction.

On March 30th, 2022, the CNVD platform received a remote command execution vulnerability in the Spring framework submitted by Ant Technology Group Co., Ltd. Due to the processing flow defect of the Spring framework, the attacker can write and modify the backdoor file of the target host under remote conditions, and then obtain the permissions of the target host through backdoor file access. Applications such as using Spring framework or derivative framework to build websites and using JDK version 9 or above at the same time are vulnerable to this vulnerability. This time the identified RCE vulnerability in the Spring core framework is CVE number CVE-2022-22965.

Scope of influence

The exploitation of this vulnerability needs to meet the following conditions:

JDK 9 +

Deploy using Apache Tomcat

Use WAR to package

Rely on spring-webmvc or spring-webflux

Although most domestic users may still use JDK 8 or use built-in Tomcat to run, because of the common characteristics of this vulnerability, other ways of exploitation can not be ruled out. Therefore, DD still recommends upgrading to the latest version as soon as possible to avoid possible risks.

Solution

Currently, Spring has officially released a new version to fix the vulnerability. CNVD recommends that product (service) vendors and information system operators affected by the vulnerability check themselves as soon as possible and upgrade to the latest version as follows:

Spring 5.3.x users upgrade to 5.3.18 +

Spring 5.2.x users upgrade to 5.2.20 +

Spring Boot 2.6.x users upgrade to 2.6.6 +

Spring Boot 2.5.x users upgrade to 2.5.12 +

At this point, I believe you have a deeper understanding of "parsing Spring vulnerabilities and fixing methods". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.