Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2022-22965: UAA affected by Spring Framework RCE via Data Binding on JDK 9+

Severity

Critical

Vendor

Cloud Foundry Foundation

Description

In Cloud Foundry UAA, a remote code execution vulnerability is present due to an issue in the Spring Framework identified by CVE-2022-22965. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

Affected Cloud Foundry Products and Versions

Severity is critical unless otherwise noted.

  • UAA Release (OSS)
    • Versions 74.2.0 – 75.17.0
  • CF Deployment
    • Version 12.1.0 and above but below version 20.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • UAA Release (OSS)
    • Upgrade affected versions to 75.18.0 or greater.
  • CF Deployment
    • Upgrade affected versions to 20.0 or greater.
    • Alternatively a workaround can be deployed on affected versions.

Workaround for CF Deployment

  1. Create a temporary ops file with the following content:
- type: replace
  path: /releases/name=uaa
  value:
      name: uaa
      url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=75.18.0
      version: "75.18.0"
      sha1: 5f9c63ecf952e94ff3ce229eed25069c7ce2a6b0
  1. Apply this ops-file during subsequent bosh deploys for cf-deployment, until you upgrade cf-deployment to a version where this CVE is fixed. For more information on how to apply ops-files, read the section of the README: https://github.com/cloudfoundry/cf-deployment#ops-files

References:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

History

2022-04-05: Initial vulnerability report published.
2022-04-21: Added fixed version of CF Deployment

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES