**Spring is lost! ** such a title these days is not tired of seeing? However, take a closer look at the previous several unrelated CVES to boast. So yesterday, I posted a post about the recent Spring bug, talking about confusing marketing messages and warning people not to download phishing content that exploits the bug to provide patches. As for this vulnerability, we still keep an eye on it, because it may exist, but there is no official announcement.

Just a few days ago (March 31), the Spring community published an article entitled ** Spring Framework RCE, Early Announcement about a recent Spring bug that has been uploaded online **. This also confirms that there is a bug and that it is not the CVE announced on March 28 and 29 as many recent articles have mentioned. If you are following those articles to solve the problem, please try again according to the vice minister’s announcement.

The CVE number of RCE vulnerability in Spring core framework determined this time is CVE-2022-22965[1].

The bug was reported to VMware late Tuesday night by codePlutos, MeizJm3i of AntGroup FG. On Wednesday, Spring officials investigated, analyzed, and resolved the issue, with an emergency release scheduled for Thursday.

Since this vulnerability was leaked on the network, Spring officials urgently released a version of the fix. Since it is a vulnerability in the Spring core framework, it covers a wide range of issues. Therefore, this blog post is also constantly updated. The following is the timeline of progress as of this writing:

Here’s a look at the official announcement and solution for the mysterious bug that has been circulating online for two days.

scope

The exploit of this vulnerability needs to meet the following conditions:

  • JDK 9 +
  • Use Apache Tomcat for deployment
  • Package using WAR
  • Rely on Spring-WebMVC or Spring-WebFlux

Although most domestic users may still use JDK 8, or use the way of built-in Tomcat, but due to the characteristics of the vulnerability is relatively common, the existence of other ways to use. Therefore, DD still suggests upgrading to the latest version as soon as possible if conditions permit to avoid possible risks.

The solution

Since this is not webcast, but Spring official announcement, the solution is relatively complete and easy. Affected users can solve the risk of this vulnerability through the following methods:

  • Spring 5.3.x users upgrade to 5.3.18+
  • Spring 5.2.x users have been upgraded to 5.2.20+
  • The Spring Boot 2.6.x user is upgraded to 2.6.6+
  • The Spring Boot 2.5.x user was upgraded to 2.5.12+

For the review and more details of the vulnerability, here because of the space is limited, not specific introduction, interested partners can pay attention to the public account program ape DD, reply “CVE-2022-22965”, get more in-depth analysis of the document.

Then, it needs to be specially mentioned that the friends who have received the message and taken action before should use the following solution to deal with it, right?

@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*"."Class.*"."*.class.*"."*.Class.*"}; dataBinder.setDisallowedFields(denylist); }}Copy the code

This method DD has been seen many times in wechat group (click add group). This Spring tweet confirms that this method works, but it may leave some other pitfalls, especially when Controller sets disalloedFields locally with its own @initBinder method, which overwrites global Settings.

For application solutions in a safer way, the application can be extended RequestMappingHandlerAdapter, so that in all other updates WebDataBinder after initialization. Officials offer better solutions, such as the following:

@SpringBootApplication
public class MyApp {

	public static void main(String[] args) {
		SpringApplication.run(CarApp.class, args);
	}


	@Bean
	public WebMvcRegistrations mvcRegistrations(a) {
		return new WebMvcRegistrations() {
			@Override
			public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter(a) {
				return newExtendedRequestMappingHandlerAdapter(); }}; }private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {

		@Override
		protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {

			return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {

				@Override
				protected ServletRequestDataBinder createBinderInstance( Object target, String name, NativeWebRequest request) throws Exception {
					
					ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
					String[] fields = binder.getDisallowedFields();
					List<String> fieldList = newArrayList<>(fields ! =null ? Arrays.asList(fields) : Collections.emptyList());
					fieldList.addAll(Arrays.asList("class.*"."Class.*"."*.class.*"."*.Class.*"));
					binder.setDisallowedFields(fieldList.toArray(new String[] {}));
					returnbinder; }}; }}}Copy the code

For not Spring under the Boot application of Spring MVC, users can switch from @ EnableWebMvc to expand DelegatingWebMvcConfiguration directly, such as the advanced configuration document described in part [3], Then rewrite createRequestMappingHandlerAdapter way to implement.

Well, that’s all for today’s sharing! If you have any difficulty in learning? You can join our super high quality Spring technology exchange group, participate in the exchange and discussion, better learning and progress! More Spring Boot tutorials can be clicked direct! , welcome to collect and forward support!

The resources

  • [1] spring. IO/blog / 2022/0…
  • [2] tanzu.vmware.com/security/cv…
  • [3] docs. Spring. IO/spring – fram…

Welcome to pay attention to my public number: program ape DD. Learn cutting-edge industry news, share in-depth technical know-how, and obtain high-quality learning resources at the first time