Security Advisory: Spring users face two new zero-day vulnerabilities

Vulnerability Overview CVE-2022-22963 (CVSS 9.8 (Unofficial) – Critical) – Remote code execution in Spring Cloud Function by malicious Spring Expression A Critical severity vulnerability impacting multiple versions impacts Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions was disclosed publicly on March 28th. In Spring 3.1.6, 3.2.2 and older version when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. CVE-2022-22965 (CVSS – 8.1 – High) – Spring Framework RCE via Data Binding on JDK 9+ “Spring4Shell” A High severity vulnerability was responsibly reported to VMware on 29th March. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Spring Framework version 5.3.0 to 5.3.17 & 5.2.0 to 5.2.19 are reported as being vulnerable. Older, unsupported versions are also affected.