CVE-2022-22965
Publication date 1 April 2022
Last updated 18 December 2024
Ubuntu priority
Cvss 3 Severity Score
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Status
Package | Ubuntu Release | Status |
---|---|---|
libspring-java | 24.10 oracular |
Fixed 4.3.30-2ubuntu0.24.10.1
|
24.04 LTS noble |
Fixed 4.3.30-2ubuntu0.24.04.1~esm1
|
|
22.04 LTS jammy |
Fixed 4.3.30-1ubuntu0.1~esm1
|
|
20.04 LTS focal |
Fixed 4.3.22-4ubuntu0.1~esm1
|
|
18.04 LTS bionic |
Fixed 4.3.22-1~18.04.1~esm1
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7165-1
- Spring Framework vulnerability
- 17 December 2024
Other references
- https://bugalert.org/content/notices/2022-03-30-spring.html
- https://tanzu.vmware.com/security/cve-2022-22965
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://github.com/spring-projects/spring-framework/issues/28260
- https://www.cve.org/CVERecord?id=CVE-2022-22965
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog