Bug 2070348 (CVE-2022-22965, MI-2022-002)

Summary: CVE-2022-22965 spring-framework: RCE via Data Binding on JDK 9+
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adsoni, aileenc, alazarot, anstephe, ataylor, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, drieden, emingora, etirelli, fhirtz, ggaughan, ggrzybek, gmalinko, gsmet, hamadhan, hbraun, ibek, janstey, jburrell, jnethert, jochrist, jrokos, jross, jstastny, jwon, kaycoth, krathod, kverlaen, lsurette, lthon, michal.skrivanek, mnovotny, mperina, mszynkie, pantinor, pdelbell, peholase, pgallagh, pjindal, probinso, rguimara, rkshirsa, rrajasek, rruss, rsvoboda, sbiarozk, sbonazzo, sdouglas, security-response-team, tmielke, tzimanyi, vkumar, vsroka, ymittal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-webmvc 5.2.20, spring-webmvc 5.3.18, spring-framework 5.2.20, spring-framework 5.3.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-13 16:57:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2070626, 2070675    
Bug Blocks: 2070180    

Description Chess Hazlett 2022-03-30 21:46:04 UTC 
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Comment 25 errata-xmlrpc 2022-04-11 14:08:04 UTC 
This issue has been addressed in the following products:

  CEQ 2.2.1-1 (CVE-2022-22965)

Via RHSA-2022:1306 https://access.redhat.com/errata/RHSA-2022:1306
Comment 26 errata-xmlrpc 2022-04-12 18:32:13 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K 1.6.5

Via RHSA-2022:1333 https://access.redhat.com/errata/RHSA-2022:1333
Comment 27 errata-xmlrpc 2022-04-13 14:46:04 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10.2

Via RHSA-2022:1360 https://access.redhat.com/errata/RHSA-2022:1360
Comment 28 Product Security DevOps Team 2022-04-13 16:57:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22965
Comment 29 errata-xmlrpc 2022-04-14 17:09:18 UTC 
This issue has been addressed in the following products:

  RHPAM 7.12.1 async

Via RHSA-2022:1378 https://access.redhat.com/errata/RHSA-2022:1378
Comment 30 errata-xmlrpc 2022-04-14 17:33:12 UTC 
This issue has been addressed in the following products:

  RHDM 7.12.1 async

Via RHSA-2022:1379 https://access.redhat.com/errata/RHSA-2022:1379
Comment 36 errata-xmlrpc 2022-04-27 09:46:54 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.8.6

Via RHSA-2022:1626 https://access.redhat.com/errata/RHSA-2022:1626
Comment 37 errata-xmlrpc 2022-04-27 09:47:15 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.4

Via RHSA-2022:1627 https://access.redhat.com/errata/RHSA-2022:1627