Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Framework RCE via Data Binding on JDK 9+:CVE-2022-22965 #7817

Closed
mjs8002 opened this issue Apr 1, 2022 · 6 comments
Closed

Spring Framework RCE via Data Binding on JDK 9+:CVE-2022-22965 #7817

mjs8002 opened this issue Apr 1, 2022 · 6 comments
Labels
Duplicate

Comments

@mjs8002
Copy link

mjs8002 commented Apr 1, 2022

Jetty version(s)
9.4.43.v20210629
Java version/vendor (use: java -version)
jdk 1.9
OS type/version
linux
Description
Do not report security issues here! See Jetty Security Reports.
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
How to reproduce?

we find Jetty - Java HTTP Servlet Server has depends spring-beans in jetty-spring,
if we have plan to fix it?
@mjs8002 mjs8002 added the Bug For general bugs on Jetty side label Apr 1, 2022
@joakime
Copy link
Contributor

joakime commented Apr 1, 2022

Jetty 10.0.0+ does not have jetty-spring
And the use of jetty-spring is only for old users of spring, from the days before springboot, spring-mvc, or spring-webflux.

Duplicate of Issue #6756 fixed in PR #7813

@joakime joakime closed this as completed Apr 1, 2022
@joakime
Copy link
Contributor

joakime commented Apr 1, 2022

If you are using Java 9+, why are you not using Jetty 10+? (which is designed for the post Java 8 runtime world we live in now)

Jetty 9.x only exists for those users that are stuck on Java 8.

@joakime joakime added Duplicate and removed Bug For general bugs on Jetty side labels Apr 1, 2022
@mjs8002
Copy link
Author

mjs8002 commented Apr 2, 2022
edited by joakime
Loading

If you are using Java 9+, why are you not using Jetty 10+? (which is designed for the post Java 8 runtime world we live in now)

Jetty 9.x only exists for those users that are stuck on Java 8.

if we use jetty9.x on Java 8,Does not involve this bug ?

@olamy
Copy link
Member

olamy commented Apr 2, 2022
edited by joakime
Loading

If you are using Java 9+, why are you not using Jetty 10+? (which is designed for the post Java 8 runtime world we live in now)
Jetty 9.x only exists for those users that are stuck on Java 8.

if we use jetty9.x on Java 8,Does not involve this bug ?

please read the announcement from vmware here https://tanzu.vmware.com/security/cve-2022-22965
as you said there is

The specific exploit requires the application to run on Tomcat as a WAR deployment.

@joakime
Copy link
Contributor

joakime commented Apr 2, 2022
edited
Loading

If you are using Java 9+, why are you not using Jetty 10+? (which is designed for the post Java 8 runtime world we live in now)
Jetty 9.x only exists for those users that are stuck on Java 8.

if we use jetty9.x on Java 8,Does not involve this bug ?

For you to be impacted by CVE-2022-22965, all of the following must be true.

  1. You are using spring-mvc or spring-webflux
  2. You are using Tomcat standalone
  3. You are using WAR deployment
  4. You are using a Java 9+ runtime environment.
  5. You are using Spring version 5.3.17 (or older)

To break this down in terms for Jetty ...

Nothing in Jetty uses spring-mvc or spring-webflux. (point 1)
We are Jetty, not Tomcat. (point 2)
We do have WAR deployment, but the vulnerability is with the Tomcat War Classloader (which Jetty doesn't have) (point 3)
If you are using Java 9+, you are recommended to use Jetty 10+ (point 4)
We do have Spring, but only spring-beans (which is unaffected) in Jetty 9's jetty-spring feature. (point 5)
Jetty 10+ does not have jetty-spring feature. (point 4 and point 5)
The jetty-spring feature is for configuring the Jetty Server with spring, not a WAR or webapp. (point 3, point 4, and point 5)

@MrAkansh
Copy link

MrAkansh commented Apr 5, 2022

If you are using Java 9+, why are you not using Jetty 10+? (which is designed for the post Java 8 runtime world we live in now)
Jetty 9.x only exists for those users that are stuck on Java 8.

if we use jetty9.x on Java 8,Does not involve this bug ?

For you to be impacted by CVE-2022-22965, all of the following must be true.

1. You are using spring-mvc or spring-webflux

2. You are using Tomcat standalone

3. You are using WAR deployment

4. You are using a Java 9+ runtime environment.

5. You are using Spring version 5.3.17 (or older)

To break this down in terms for Jetty ...

Nothing in Jetty uses spring-mvc or spring-webflux. (point 1) We are Jetty, not Tomcat. (point 2) We do have WAR deployment, but the vulnerability is with the Tomcat War Classloader (which Jetty doesn't have) (point 3) If you are using Java 9+, you are recommended to use Jetty 10+ (point 4) We do have Spring, but only spring-beans (which is unaffected) in Jetty 9's jetty-spring feature. (point 5) Jetty 10+ does not have jetty-spring feature. (point 4 and point 5) The jetty-spring feature is for configuring the Jetty Server with spring, not a WAR or webapp. (point 3, point 4, and point 5)

@joakime , thanks a lot for analysing in details for jetty 9.x users world

@chadlwilson chadlwilson mentioned this issue Apr 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@olamy @joakime @mjs8002 @MrAkansh