Make writing a habit together! This is my first day to participate in the “Gold Digging Day New Plan · April More text challenge”, click to see the details of the activity.

On March 30, 2022, the National Vulnerability Sharing Platform for Information Security (CNVD) released Spring Framework Remote command execution Vulnerability (CNVD-2022-23942). Attackers can use this vulnerability to remotely execute commands without authorization.

At present, the VULNERABILITY POC, technical details and EXP have been widely publicized, and the vulnerability has a great impact. Spring has released an official patch to fix this vulnerability. Users of the Spring framework are strongly advised to update to the latest version immediately.

I. Details of vulnerabilities

Spring Framework is an open source application Framework that provides IOC, AOP, MVC and other functions. Designed to reduce the complexity of application development. It is lightweight and loosely coupled. It has a layered architecture that allows users to select components while also providing a cohesive framework for J2EE application development.

Due to defects in the Spring framework processing process, an attacker can remotely write and modify the configuration of the target host’s backdoor file, and then access the target host through the backdoor file.

The majority of developers building websites or applications using the Spring framework or a derivative framework and using JDK version 9 or greater are vulnerable to this vulnerability, however, it is more common and there may be other ways to exploit it that have not yet been reported.

Ii. Vulnerability level

At high risk of

Urgent repair recommended!

Three, the scope of influence

  • Spring Framework < 5.3.18
  • Spring Framework < 5.2.20
  • A website or application built from a derivative Framework of the Spring Framework

4. Repair suggestions

At present, Spring has officially released a new version and repaired the vulnerability. The security team suggests that the owner of the application conduct a self-check as soon as possible and upgrade to the latest version in time:

  • Spring Framework = 5.3.18
  • Spring Framework = 5.2.20

Upgrade mode:

1. ByMavenUpdate the Spring version:

< the properties > < spring - framework. Version > 5.3.18 < / spring - framework. Version > < / properties >Copy the code

2. ByGradleUpdate the Spring version:

Ext [' spring - framework. Version] = '5.3.18'Copy the code