Share

Information on CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Customer Alert 20220401

What is CVE-2022-22965 about?

CVE-2022-22965 is a critical-severity vulnerability affecting Spring MVC or Spring WebFlux applications running on JDK 9+. When running on Tomcat as a WAR deployment your applications may be vulnerable to remote code execution (RCE) via data binding. If your application is deployed as a Spring Boot executable jar (the default) it is not vulnerable to the exploit.

 

Based on what we know now, can Waratek Java products remediate this vulnerability?

Yes. Waratek recommends enabling the ARMR Process Forking rule as well as the ARMR File-System Write rule to prevent file writes to the Apache Tomcat folder.

Waratek is also providing all customers an ARMR Remediation Patch that’s functionally equivalent to a vendor patch and will alleviate the need for the ARMR File-System rule.

Contact your Waratek Customer Success Managers for assistance in applying the instant ARMR Remediation Patch at [email protected].

 

Does the vulnerability impact any third party tools I use with Waratek solutions?

We strongly recommend that all customers check third party support and advisory sites. If you have any questions or concerns, you can also contact our Customer Support team at [email protected].

Non-Waratek customers should request a trial license or a live demonstration of Waratek’s protective agents.

 

About Waratek

Some of the world’s leading companies use Waratek’s ARMR Security Platform to patch, secure and upgrade their mission critical applications. A pioneer in the next generation of application security solutions, Waratek makes it easy for security teams to instantly detect and remediate known vulnerabilities with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Awards 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions.