Spring Framework and Spring Cloud Function vulnerabilities: What you need to know

Print Friendly, PDF & Email

Barracuda Web Application Firewall hardware and virtual appliances; Barracuda CloudGen WAF on AWS, Azure, and GCP; Barracuda WAF-as-a-Service; and Barracuda Load Balancer ADC are not affected by Spring Framework (Spring4Shell) and Spring Cloud Function remote code execution (RCE) vulnerabilities. Please revisit this space to stay up to date on these vulnerabilities, as we will continue to share further updates. 

Details of the vulnerabilities

This blog provides updates on recently discovered vulnerabilities in the Spring Framework (CVE-2022-22965 & CVE-2022-22950) and Spring Cloud Function (CVE-2022-22963).

Spring4Shell is a misnomer for all these vulnerabilities combined ( CVE-2022-22965, CVE-2022-22950 & CVE-2022-22963). Spring4Shell refers to CVE-2022-22965. Also, please note that Spring4Shell has no relation to the Log4j vulnerability.

CVE-2022-22963 | CVSS Score: 9.8 | Vendor Severity: Critical | RCE

This vulnerability was reported on March 29, 2022, and it affects Spring Cloud Function only, which is not in the Spring Framework. Spring has already released a newer version to take care of this.

The vulnerability uses routing functionality to provide specially crafted Spring Expression Language (SpEL) as a routing expression to access local resources and perform RCE. It uses a specific HTTP request header named spring.cloud.function.routing-expression.

Barracuda Web Application Firewall, WAF-as-a-Service, and LoadBalancer ADC are not affected by this vulnerability.

CVE-2022-22965 | CVSS Score: 9.8 | Vendor Severity: Critical | RCE | Spring4Shell

This vulnerability affects Spring MVC and Spring WebFlux applications running on JDK 9+. As of the time of writing, public exploits only affect applications running within Tomcat as a WAR deployment and will not work in the case of a Spring Boot executable running as a JAR deployment. However, it may be the case that deployments outside of Tomcat are able to be exploited given further efforts. This is an RCE vulnerability, and it appears to be a bypass of protections set up for CVE-2010-1622.

The steps to configure the signature manually have been updated in the campus documentation.

Barracuda Web Application Firewall, WAF-as-a-Service, and LoadBalancer ADC are not affected by this vulnerability.

CVE-2022-22950 | CVSS Score: 5.4 | Vendor Severity: Medium | DoS

In Spring Framework versions 5.3.0 – 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service condition.

Barracuda Web Application Firewell, WAF-as-a-Service, and LoadBalancer ADC are not affected by this vulnerability.

Attack detection and protection

Barracuda WAF-as-a-Service

We are rolling out new signatures to detect these exploit attempts and block them. These signatures have been updated to handle the evasions, as per the latest information sourced from vendor and Barracuda threat research.

Barracuda Web Application Firewall & Barracuda CloudGen WAF

The latest signatures for these vulnerabilities are being rolled out to units in the field.

For private deployments, we have updated the campus documents with manual steps to mitigate these vulnerabilities. Please note that while these signatures detect variations that have been seen so far, we continue to update them as newer variants are discovered.

As a best practice, we recommend patching your Spring Framework and Spring Cloud Function-based web applications to the latest versions as per the vendor advisory.

To learn more about the new signatures and settings required for this mitigation, please review this campus document.

For any assistance with these settings or questions regarding the attack patterns, contact Barracuda Networks Technical Support.

Update: May 11, 2022

We have stopped the automated rollout of the detection signatures for the Spring4Shell vulnerabilities due to the number of false positives seen in the field.

At this time, it is advised that Barracuda Web Application Firewall customers apply the mitigations stated in the campus article manually. Please reach out to Barracuda Support for assistance, if required.

The Barracuda WAF-as-a-Service rollout has continued, and the signatures are in place. In case of false positives, please reach out to Barracuda Support.

Scroll to top