A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCisco Cx Cloud Agent
APPCisco< 2.1.0Oracle Commerce Platform
APPOracle11.3.2Oracle Communications Cloud Native Core Automated Test Suite
APPOracle1.9.022.1.0Oracle Communications Cloud Native Core Binding Support Function
APPOracle22.1.3Oracle Communications Cloud Native Core Console
APPOracle1.9.022.1.0Oracle Communications Cloud Native Core Network Exposure Function
APPOracle22.1.0Oracle Communications Cloud Native Core Network Function Cloud Native Environment
APPOracle1.10.022.1.0Oracle Communications Cloud Native Core Network Repository Function
APPOracle1.15.022.1.0Oracle Communications Cloud Native Core Network Slice Selection Function
APPOracle1.15.01.8.022.1.0Oracle Communications Cloud Native Core Policy
APPOracle1.15.022.1.0Oracle Communications Cloud Native Core Security Edge Protection Proxy
APPOracle1.7.022.1.0Oracle Communications Cloud Native Core Unified Data Repository
APPOracle1.15.022.1.0Oracle Communications Policy Management
APPOracle12.6.0.0.0Oracle Communications Unified Inventory Management
APPOracle7.4.17.4.27.5.0Oracle Financial Services Analytical Applications Infrastructure
APPOracle8.1.18.1.2.0Oracle Financial Services Behavior Detection Platform
APPOracle8.1.1.08.1.1.18.1.2.0Oracle Financial Services Enterprise Case Management
APPOracle8.1.1.08.1.1.18.1.2.0Oracle JDK
APPOracle≥ 9Oracle MySQL Enterprise Monitor
APPOracle< 8.0.29Oracle Product Lifecycle Analytics
APPOracle3.6.1Oracle Retail Bulk Data Integration
APPOracle16.0.3Oracle Retail Customer Management And Segmentation Foundation
APPOracle17.018.019.0Oracle Retail Financial Integration
APPOracle14.1.3.215.0.3.116.0.319.0.1Oracle Retail Integration Bus
APPOracle14.1.3.215.0.3.116.0.319.0.1Oracle Retail Merchandising System
APPOracle16.0.319.0.1Oracle Retail Xstore Point Of Service
APPOracle20.0.121.0.0Oracle Sd Wan Edge
APPOracle9.09.1Oracle Weblogic Server
APPOracle12.2.1.3.012.2.1.4.014.1.1.0.0Siemens Operation Scheduler
APPSiemens< 2.0.4Siemens Simatic Speech Assistant For Machines
APPSiemens< 1.2.1
CISA KEV — detailsi
- Vendori
- VMware ↗
- Producti
- Spring Framework
- Added to KEVi
- April 4, 2022
- Remediation deadline (US Federal)i
- April 25, 2022(overdue)
Apply updates per vendor instructions.
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Related vulnerabilities
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionalit...
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-defau...
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....