The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Analysis: Two distinct Spring vulnerabilities discovered – Spring4Shell and CVE-2022-22963

Jonathan Knudsen

Mar 29, 2022 / 1 min read

The Internet is buzzing with talk about two separate vulnerabilities related to different Spring projects. The two are not related, but have been confused because both vulnerabilities were disclosed at nearly the same time.

CVE-2022-22963

The first is CVE-2022-22963, tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0850. This is a remote code execution vulnerability in Spring Cloud Function. Issued with a medium severity and upgraded to critical by vendor VMWare (https://tanzu.vmware.com/security/cve-2022-22963), researchers have since found that achieving remote code execution is possible. An upgrade patch already exists, so affected users are urged to upgrade as soon as possible.

Spring4Shell

The second vulnerability is CVE-2022-22965 (https://tanzu.vmware.com/security/cve-2022-22965), which is BDSA-2022-0858 in the Black Duck Knowledgebase. This is the vulnerability many security researchers have been calling Spring4Shell. Under certain circumstances, it allows an attacker to run arbitrary code, but the ease of exploitation varies with how the code running on Spring Framework is written, and how Spring Framework is run. Fixed versions of Spring Framework (and the related Spring Boot) are available. Affected users should upgrade expeditiously. Read Spring’s announcement for more information.

Manage your security risks

Regardless of how Spring4Shell evolves, these vulnerabilities highlight the importance of knowing what open source components you are using and keeping on top of vulnerabilities as they are disclosed.

software composition analysis (SCA) solution like Black Duck does exactly this. It can build a software Bill of Materials (SBOM) for an application and proactively notify you when new vulnerabilities are disclosed in components you have used.

Black Duck Code Sight is an IDE plugin that can provide quick, actionable SCA results for developers in the environment where they work. Click here for a demo video.

Continue Reading

Explore Topics