CVE-2022-22965 An MVC or Spring WebFlux application may be vulnerable to remote code execution if it runs on Tomcat as a WAR deployment.
If the application is running on JDK 9, i.e. Spring Boot 1.4 or later, it is not vulnerable. It is possible for an attacker to take advantage of a known bug in the JDK 9 implementation of DataBinder to execute arbitrary code on the targeted system. The specific code that needs to be run is specified in the data binding expression. The data binding expression can be controlled by the user in several ways. In particular, it can be controlled by the selection of data type, validation rules, and the value of data. Any of these three things can be exploited to execute code on the target system with low probability of detection.
What is DataBinder?
DataBinder is a library that allows developers to bind data from Java objects to XML or SQL statements. It is available in JDK 9 and newer.
DataBinder allows the binding of Java objects to XML, SQL, or other data sources. The DataBinder can be configured by binding expressions and validation rules. In this case, the vulnerable code was executed because it was allowed to use unchecked input.
Vulnerability Description
A vulnerability in the Spring Boot application allows an attacker to execute arbitrary code on the targeted system if it is running JDK 9. The vulnerability is due to a known bug in the JDK 9 implementation of DataBinder. It is possible for an attacker to take advantage of this bug by creating a data binding expression containing a Java expression that evaluates to a reference value and then calling setResultData or getResultData with this expression. This will cause DataBinder to replace its own internal state with the new data, which can be controlled by the user. The particular expression that needs to be run is controlled by the type of data being bound, validation rules, and/or the value of data. There are several ways for an attacker to exploit this vulnerability such as selecting one of these controls and replacing their own internal state with new values when creating a binding expression.
Vulnerability details
DataBinder is a utility class that provides an overall wrapper for data access, manipulation, and conversion. It takes care of most of the details needed to perform data binding (i.e. converting the source type to the target type, validating values, etc.). DataBinder also allows developers to provide custom converters. These are functions that are invoked when a value is converted from one type to another.
The problem with DataBinder is that it creates a security hole by providing not just a custom converter but also a default converter that executes any Java code passed as its argument if it has not been overridden by other custom converters or explicitly closed by the user. This means that if there was an unchecked method on class A in the JDK 9 implementation of DataBinder called “executeJava”, then any arbitrary Java code could be executed on system B by simply converting an object of class A into an object of class B using the default converter and writing some Java code on ClassA.className()
How does the vulnerability work?
The vulnerability works by exploiting a known bug in the JDK 9 implementation of DataBinder. The specific code that needs to be run is specified in the data binding expression. The data binding expression can be controlled by the user in several ways. In particular, it can be controlled by the selection of data type, validation rules, and the value of data. Any of these three things can be exploited to execute code on the target system with low probability of detection
Symptoms of the vulnerability
The bug is present when DataBinder binds a String value to an Integer object with the bindString method. The value of an Integer object cannot be changed. This allows attackers to change the value of a String object and execute code on the target system. This situation can be exploited by attackers who have access to a vulnerable application running on JDK 9.
Timeline
Published on: 04/01/2022 23:15:00 UTC
Last modified on: 07/25/2022 18:20:00 UTC
References
- https://tanzu.vmware.com/security/cve-2022-22965
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005
- http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22965