On March 29, 2022, a zero-day vulnerability affecting the Spring Core Java framework called “Spring4Shell” (CVE-2022-22963) has been publicly disclosed, allowing unauthenticated remote code execution (RCE) on applications.
The vulnerability would permit attackers to execute arbitrary code on the machine and compromise the entire host.
The Spring Cloud Function versions impacted are the following:
- 3.1.6
- 3.2.2
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to 3.1.7, 3.2.3. Releases that have fixed this issue include:
Spring Cloud Function
- 3.1.7
- 3.2.3
In Spring Framework, DataBinder has functionality to disallow certain patterns. As a temporary mitigation for this vulnerability, is recommended the creation of a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist. After the class is added, the project needs to be recompiled and packaged, and tested for functional verification. and republish the project.
An example snippet is shown below:
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{“class.*”, “Class.*”, “*.class.*”, “*.Class.*”};
dataBinder.setDisallowedFields(denylist);
}
}
