Spring's official publicity website spreads big loopholes and provides solutions

Spring has fallen! Are you tired of reading titles like this these days? However, if you take a closer look, you are all bragging about the previous irrelevant CVEs. So yesterday, I posted an article about the recent big Spring vulnerability on the Internet , chatting about these confusing marketing articles, and reminding everyone not to download some phishing content that exploits the vulnerability to provide patches. As for this online loophole, we still maintain a state of attention, because it may indeed exist, but there is no official announcement.

Not long ago (on the evening of March 31), the Spring community released an article called "Spring Framework RCE, Early Announcement", announcing the recent Spring vulnerability that was reported on the Internet . This also confirms that the online loophole does exist, and it is not the CVE published on March 28 and 29 mentioned in many recent articles. If you solve the problem according to those articles, please start over according to the content of this official announcement. .

The RCE vulnerability in the Spring core framework identified this time, the CVE number is CVE-2022-22965 [1].

The vulnerability was reported to VMware late Tuesday night by codePlutos, meizjm3i of AntGroup FG. On Wednesday, Spring officials investigated, analyzed, and identified a solution to the problem, with an emergency release planned for Thursday .

Since the vulnerability was leaked on the Internet, Spring officially released the relevant repair version urgently. Because it is a vulnerability in the Spring core framework, it involves a wide range of aspects. Therefore, in this blog post, we are also continuously updating the progress. The following is the progress timeline as of the publication of this article:

Let's take a look at the official content and solution of this mysterious vulnerability that has been circulated on the Internet for 2 days.

Sphere of influence

The exploitation of this vulnerability requires the following conditions to be met:

• JDK 9+
• Deploy with Apache Tomcat
• Packaged in WAR
• Depends on spring-webmvc or spring-webflux

Although most users in China may still use JDK 8 or the built-in Tomcat to run, due to the common characteristics of this vulnerability, the existence of other exploitation methods cannot be ruled out. Therefore, DD still recommends upgrading to the latest version as soon as possible to avoid possible risks.

solution

Because this time is not an online transmission, but an official announcement of Spring, the solution is relatively complete and easy. Affected users can solve the risk of this vulnerability through the following methods:

• Spring 5.3.x users upgrade to 5.3.18+
• Spring 5.2.x users upgrade to 5.2.20+
• Spring Boot 2.6.x users upgrade to 2.6.6+
• Spring Boot 2.5.x users upgrade to 2.5.12+

For the review and more details of this vulnerability, due to the limited space, it will not be introduced in detail here. Interested partners can pay attention to the public account program DD and reply "CVE-2022-22965" to obtain more in-depth analysis documents.

Then, I need to mention here again, the friends who have received the news and acted before, if they guessed correctly, they should all use the following solutions to deal with it, right?

 @ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
         dataBinder.setDisallowedFields(denylist);
    }

}

This method DD has also been seen quite a few times in the WeChat group ( click to add group ). In this Spring's official tweet, it is confirmed that this method is effective, but it may leave some other hidden dangers , especially when Controller is set locally through its own @InitBinder method disalloedFields , this method will override the global setting.

To apply the solution in a more secure way, the application can extend RequestMappingHandlerAdapter to update WebDataBinder after all other initializations have finished. Officials have given a better solution, such as the following:

 @SpringBootApplication
public class MyApp {

    public static void main(String[] args) {
        SpringApplication.run(CarApp.class, args);
    }


    @Bean
    public WebMvcRegistrations mvcRegistrations() {
        return new WebMvcRegistrations() {
            @Override
            public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
                return new ExtendedRequestMappingHandlerAdapter();
            }
        };
    }


    private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {

        @Override
        protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {

            return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {

                @Override
                protected ServletRequestDataBinder createBinderInstance(
                        Object target, String name, NativeWebRequest request) throws Exception {
                    
                    ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
                    String[] fields = binder.getDisallowedFields();
                    List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());
                    fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
                    binder.setDisallowedFields(fieldList.toArray(new String[] {}));
                    return binder;
                }
            };
        }
    }
}

For Spring MVC users who are not under Spring Boot applications, you can switch directly from @EnableWebMvc to the extension DelegatingWebMvcConfiguration , as described in the advanced configuration section of the documentation [3], and then rewrite createRequestMappingHandlerAdapter method to achieve.

Well, today's sharing is here! If you encounter difficulties in the learning process? You can join our high-quality Spring technical exchange group , participate in exchanges and discussions, and learn and progress better! More Spring Boot tutorials can be clicked directly! , welcome to collect and forward support!

References

• [1] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
• [2] https://tanzu.vmware.com/security/cve-2022-22965
• [3] https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-config-advanced-java

Welcome to my public account: Programmer DD. Learn about cutting-edge industry news for the first time, share in-depth technical dry goods, and obtain high-quality learning resources