Published: 19th April 2022

Version: 1.0.0

Severity: N/A

CVSS Score: N/A

AFFECTED PRODUCTS

WSO2 Identity Server - 5.9.0, 5.10.0, 5.11.0

WSO2 Identity Server as Key Manager - 5.9.0, 5.10.0

WSO2 API Manager - 3.0.0, 3.1.0, 3.2.0, 4.0.0

WSO2 Enterprise Integrator - 6.6.0

OVERVIEW

Spring4Shell remote code execution zero-day vulnerability (CVE-2022-22965).

DESCRIPTION

According to the CVE-2022-22965 [1], the following Spring Framework versions are vulnerable to the Remote Code Execution when it is used with JDK9 and above.

Spring Framework 5.3.0 to 5.3.17
Spring Framework 5.2.0 to 5.2.19
Older versions of Spring Framework

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by providing a crafted payload.

Note

WSO2 team has done relavent testing, as per it this issue is not exploitable in WSO2 Products.

SOLUTION

You may migrate to the latest version of the product, if the latest version is not listed under the affected products list. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

Or else as an immediate measure to prevent any security impact, it is recommended to apply the below mentioned temporary mitigation in the WAF or reverse proxy level at earliest possible. Please note that temporary mitigations are based on [2], which is also based on Spring announcement [1].

Deny requests containing query-strings or request payloads containing the following matches of the regular expression (These should be tested prior to production deployment but are effective mitigation techniques.): [2],

class\..*
Class\..*
.*\.class\..*
.*\.Class\..*

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

REFERENCES

[1]. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

[2]. https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/

[3]. https://docs.wso2.com/display/Security/CVE-2022-22965

Browser not supported