Cisco Talos is releasing coverage to protect users against the exploitation of two remote code execution vulnerabilities in Spring Framework. CVE-2022-22963 is a medium-severity bug that affects Spring Cloud and CVE-2022-22965, a high-severity bug that affects Spring Core Framework. Spring is a Java-based framework commonly used by developers to create and test code. There are already reports of the vulnerabilities being leveraged in the wild and patches have been made available here, here and here.
CVE-2022-22963 is a vulnerability in the routing functionality in Spring Cloud Function versions 3.1.6, 3.2.2, and old unsupported versions. The vulnerability can be triggered by an attacker sending a specially crafted SpEL routing expression that could result in remote code execution. Upgrading to Spring Cloud Function 3.1.7 or 3.2.3 will resolve this issue.
CVE-2022-22965 or Spring4Shell is a high-severity class manipulation vulnerability that could result in remote code execution that affects two specific Spring products: Spring MVC and Spring WebFlux. This particular vulnerability appears to be a bypass of mitigations put in place for a previous vulnerability, CVE-2010-1622, and can be exploited by sending a specially crafted HTTP request that can result in code execution. Upgrading to Spring Framework 5.3.18 or 5.2.20 should resolve this issue. Alternatively,