๐ Spring Framework Remote Code Execution (CVE-2022-22965)
๐ก Newskategorie: IT Security Nachrichten
๐ Quelle: veracode.com
Details of a zero-day vulnerability in Spring Framework were leaked on March 29, 2022 but promptly taken down by the original source. Although much of the initial speculation about the nature of the vulnerability was incorrect, we now know that the vulnerability has the potential to be quite serious depending on your organizationโs use of Spring Framework. There is also a dedicated CVE 2022-22965 assigned to this vulnerability.ย We will keep this blog updated as new information comes up. ย Technical summaryย The cause was initially rumored to be related to deserialization, but the actual cause is due to unforeseen access to Tomcatโs ClassLoader as a result of the new Module feature added in Java 9. An existing mitigation only blocked access to the classLoader property of Class objects, but the new Module object also has a classLoader property and was therefore accessible through Springโs property bindings when a Java object is bound to a request parameter.ย Access to the classLoaderโฆ ...