.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: Spring Cloud Function (SPEL) and Spring Framework AKA SpringShell vulnerabilities (CVE-2022-22963, CVE-2022-22965)
CVE(N)
CVE-2022-22963
CVE-2022-22965
PRODUIT(S)
Cloud Optix
Reflexion
Sophos Central
Sophos Email
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos Switch
Sophos UTM
Sophos UTM Manager
Mis à jour
2022 Apr 1
Version de l'article
1
Publié
2022 Apr 1
ID de publication
sophos-sa-20220401-spring-rce
Solution alternative
No
Overview
Between Wednesday March 30, 2022, and the following day, two severe but unrelated vulnerabilities were revealed in the Java Spring Framework and its Spring Cloud Function component, respectively.
Spring Framework is a widely used framework for building Java cloud and web applications. The vulnerabilities affect a broad range of services and applications on servers, making them extremely dangerous – and the latest updates for those server applications urgent. Sophos has observed widespread malicious attempts to exploit internet facing services using these vulnerabilities.
The Spring Cloud Function vulnerability (CVE-2022-22963, sometimes referred to as the “SPEL vulnerability”) makes it possible for remote attackers to use specially crafted HTTP request headers to execute code on servers. The Spring Framework vulnerability (CVE-2022-22965, also known as “SpringShell”) similarly allows remote attackers to execute code via data bindings.
Patches for Spring
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression. Upgrade Spring Cloud Function to version 3.1.7 or 3.2.3.
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+. Upgrade Spring Framework to version 5.2.20 or 5.3.18.
Additionally, Spring Boot 2.5.12 and 2.6.6 have been released to include the fixed Spring Framework.
What Sophos products are affected?
Sophos is reviewing and patching all potentially affected applications and services as part of its incident response process.
No Sophos products or services are impacted.
Sophos will publish updated information as it becomes available.
How are Sophos customers protected?
Sophos Managed Threat Response (MTR) customers
Sophos is actively monitoring MTR customer accounts for post-exploit activity.
IPS Signatures
IPS signatures were first published on March 30, 2022.
Sophos Firewall
SIDs for CVE-2022-22963 are 59388, 59416, 2306989
SIDs for CVE-2022-22965 are 30790, 30791, 30792, 30793
Sophos Endpoint
SIDs for CVE-2022-22963 are 2306989, 2306999
SIDs for CVE-2022-22965 are 2306990
Sophos SG UTM
SIDs for CVE-2022-22963 are 59388, 59416
SIDs for CVE-2022-22965 are 30790, 30791, 30792, 30793
Related Information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.