Table of Contents
Summary
On March 30th, 2022, a critical zero-day vulnerability (CVE-2022-22965) was disclosed in the Spring Core framework, an open-source framework commonly used with Java applications. The vulnerability has been categorized as "Critical" with a CVSS score of 5.7.
This guide helps you assess whether your organization or third-party vendors are affected and provides clear steps to protect your systems.
Official CVE Details: CVE-2022-22965
🔍 Am I at Risk?
Vulnerability Requirements
Your system is vulnerable only if all of the following conditions are met:
- Running Spring Framework version 5.2.19 or earlier, or version 5.3.17 or earlier
- Using Java Development Kit (JDK) version 9 or newer
- Using Apache Tomcat as the application server
- Application is packaged as a WAR file
- Running either spring-webmvc or spring-webflux dependencies
If your system doesn't meet all of these criteria, you are not vulnerable to this specific CVE.
Assessing Your Third-Party Vendors
To quickly evaluate whether your vendors are at risk:
- Access the Spring Framework Vulnerability Questionnaire in Whistic's Questionnaire Standards Library by clicking on the following link, here
- Download the standalone Excel version if you need to share it externally
🛠️ Remediation Steps
Complete Remediation (Recommended)
Update Spring Framework to a patched version:
- Upgrade to Spring Framework version 5.3.18 or 5.2.20
- Test and validate the update before deploying to production
- Apply security best practices:
- Run all systems as non-privileged users (without administrative privileges)
- Apply the Principle of Least Privilege to all systems and services
Temporary Mitigation Options
If you cannot immediately patch, implement both of these mitigation techniques for significant protection until the upgrade is complete:
Option 1: Configure Web Application Firewall (WAF)
- Add string filters to your WAF that reject variations of "Class.", "class.", and similar patterns
- Rapid7's mitigation documentation provides detailed implementation guidance
Option 2: Implement Controller Advice Denylist
- Use Spring Framework's Controller Advice utility to establish a denylist
- Configure it to reject variations of "Class.", "class.", and similar patterns
❓ FAQ
Does this vulnerability affect Whistic?
No, this vulnerability does not directly impact Whistic. While we use the Spring framework, our underlying architecture and secure programming practices reduce our exposure to this vulnerability. When we learned of this CVE on March 31st, we immediately implemented and tested a WAF configuration with an Application Load Balancer to mitigate any potential risk.
What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw that is discovered and disclosed before the software vendor has an opportunity to create a patch. "Zero-day" refers to the number of days the vendor has had to fix the issue.
Where can I find more technical details about this vulnerability?
Review the official CVE entry at CVE-2022-22965 and Spring's security advisory for comprehensive technical information.
How do I use Whistic to assess my vendors' risk?
Use the Spring Framework Vulnerability Questionnaire available in Whistic's Questionnaire Standards Library. You can send this questionnaire to vendors to quickly determine if they're running affected versions and what remediation steps they've taken.