This topic describes the RCE vulnerability CNVD-2022-23942 that exists in the Spring framework and how to fix the vulnerability.
Vulnerability description
As described in the security notice of Chinese National Vulnerability Database (CNVD) about CNVD-2022-23942,
attackers can exploit the CNVD-2022-23942 vulnerability to remotely write and modify backdoor files on victim hosts and obtain permissions on the hosts by using the backdoor files.Vulnerability severity
High
Impact scope
-
Websites or applications that are built by using the Spring framework or a derived framework whose version is earlier than 5.3.18 or 5.2.20 and meet the following conditions:
- Java Development Kit (JDK) 9 or later is used.
- Apache Tomcat is used as the web container.
- A WAR package is used for deployment.
- The
spring-webmvcorspring-webfluxdependency is used.
Fixes
Upgrade the Spring framework to the latest version. For more information about the fix, see Spring Framework RCE, Early Announcement.