KB Article #182087
Zero-Day Vulnerability in Java Spring Framework "Spring4Shell"
Problem
-- Is API Gateway vulnerable to Zero-Day Vulnerability discovered in Java Spring Framework "Spring4Shell"?
https://spring.io/blog/2022/03/31/spring-framework...
https://tanzu.vmware.com/security/cve-2022-22965
https://www.lunasec.io/docs/blog/spring-rce-vulner...
https://www.rapid7.com/blog/post/2022/03/30/spring...
Resolution
* As of now none of the Spring vulnerabilities are exploitable with API Gateway:
CVE-2022-22965 - zero-day vulnerability in Spring4Shell
Spring Framework RCE, Early Announcement
NVD - CVE-2022-22965 (nist.gov)
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+.
API Gateway requires JDK 8, and not JDK 9+.
API Gateway does not invoke or provide filters and other services that may invoke the above Spring MVC and Spring WebFlux APIs, including RCE features.
API Gateway uses Spring to communicate with Cassandra, however the Spring vulnerabilities are not exploitable with Cassandra.
CVE-2022-22963 - the Spring Cloud vulnerability
CVE report published for Spring Cloud Function
NVD - CVE-2022-22963 (nist.gov)
API Gateway does not invoke or provide filters and other services that may invoke the Spring Cloud Function APIs.
CVE-2022-22950 - the Spring Expression DoS vulnerability
CVE report published for Spring Framework
NVD - CVE-2022-22950 (nist.gov)
API Gateway does not invoke or provide filters and other services that may invoke the Spring SpEL expressions.
CVE-2021-22096
CVE-2021-22096: Log Injection in Spring Framework | Security | VMware Tanzu
NVD - CVE-2021-22096 (nist.gov)
API Gateway does not invoke or provide filters and other services that may invoke Java APIs that accept user input.
* However scanning tools will report the vulnerabilities due to the module version in older API Gateway versions. This has been resolved for May 2022 and later releases via RDAPI-27028 by updating Spring and removing unnecessary and unused Spring components.