Severity
Critical
Vendor
Cloud Foundry Foundation
Description
In Cloud Foundry UAA, a remote code execution vulnerability is present due to an issue in the Spring Framework identified by CVE-2022-22965. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Affected Cloud Foundry Products and Versions
Severity is critical unless otherwise noted.
- UAA Release (OSS)
- Versions 74.2.0 – 75.17.0
- CF Deployment
- Version 12.1.0 and above but below version 20.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- UAA Release (OSS)
- Upgrade affected versions to 75.18.0 or greater.
- CF Deployment
- Upgrade affected versions to 20.0 or greater.
- Alternatively a workaround can be deployed on affected versions.
Workaround for CF Deployment
- Create a temporary ops file with the following content:
- type: replace path: /releases/name=uaa value: name: uaa url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=75.18.0 version: "75.18.0" sha1: 5f9c63ecf952e94ff3ce229eed25069c7ce2a6b0 |
- Apply this ops-file during subsequent bosh deploys for cf-deployment, until you upgrade cf-deployment to a version where this CVE is fixed. For more information on how to apply ops-files, read the section of the README: https://github.com/cloudfoundry/cf-deployment#ops-files
References:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
History
2022-04-05: Initial vulnerability report published.
2022-04-21: Added fixed version of CF Deployment