Recently there was a remote code execution vulnerability found in the Spring Framework. The vulnerability impacts Spring MVC and Spring WebFlux applications running JDK 9+.

In order to determine if you are impacted, the following requirements must be met:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar).
  • spring-webmvc or spring-webflux dependency.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

The mitigation for the vulnerability is to upgrade Spring Framework to 5.3.18+ and 5.2.20+. No other workarounds are necessary.

For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector.

What CyberMaxx is doing in response:

  1. CyberMaxx’s infrastructure and products are not impacted by this vulnerability
  2. We are monitoring indicators of compromise and establishing alerts for our security products as information becomes available

If you have questions, please contact your CyberMaxx Account Manager or our Security Operations Center at 888-468-1418.

References:

Table of Contents

    Decoding AI in Security Operations​: Realities, Challenges, and Solutions

    Decoding AI in Security Operations​: Realities, Challenges, and Solutions

    Webinars and Panels

    1 min

    Understanding Cybersecurity Compliance: Federal and State Regulations

    Understanding Cybersecurity Compliance: Federal and State Regulations

    Articles

    4 min

    About the Author
    Jon Matthews

    Author: Jon Matthews

    Contact: authors@cybermaxx.com

    Jon Matthews is a highly experienced and trusted leader in computer and network forensics with over twelve years of experience. He leads investigations around high-profile digital forensic and incident response matters helping clients determine the root cause and extent of breaches. Jon retired from the U.S. Army with over 20 years of service. He was a Special Agent with U.S. Army Counterintelligence for nine years and specialized in digital forensics for espionage and APT investigations. Jon also worked with Aon's Cyber Solutions (Stroz Friedberg) leading their Washington, DC forensic lab and conducting digital forensic and incident response investigations for two and a half years. Education, Certifications, and Training: Jon holds a Bachelor of Science degree in Computer Networks Security from the University of Maryland University College, and holds a Graduate Certificate in Incident Response from the SANS Technology Institute. Jon was a certified Computer Crime Investigator while working in the U.S. Army. His certifications include being a CISSP, Certified Incident Handler, Certified Forensic Analyst, Network Forensic Analyst, Reverse Engineering Malware, Advanced Smartphone Forensics, Certified Ethical Hacker, Secure Infrastructure Specialist, A +, Network +, and Security +.

    View More