Spring framework security vulnerability CNVD-2022-23942 - Enterprise Distributed Application Service

This topic describes the RCE vulnerability CNVD-2022-23942 that exists in the Spring framework and how to fix the vulnerability.

Vulnerability description

As described in the security notice of Chinese National Vulnerability Database (CNVD) about CNVD-2022-23942,

attackers can exploit the CNVD-2022-23942 vulnerability to remotely write and modify backdoor files on victim hosts and obtain permissions on the hosts by using the backdoor files.

Vulnerability severity

High

Impact scope

Websites or applications that are built by using the Spring framework or a derived framework whose version is earlier than 5.3.18 or 5.2.20 and meet the following conditions:
Java Development Kit (JDK) 9 or later is used.
Apache Tomcat is used as the web container.
A WAR package is used for deployment.
The spring-webmvc or spring-webflux dependency is used.

Fixes

Upgrade the Spring framework to the latest version. For more information about the fix, see Spring Framework RCE, Early Announcement.