Article - CS366559

ThingWorx Spring4shell CVE-2022-22965 vulnerability incident response

Modified: 13-Oct-2022   


Applies To

  • ThingWorx Platform 9.0 to 9.3
  • Affected versions of Spring framework
  •     5.3.0 to 5.3.17
  •     5.2.0 to 5.2.19
  •     Older, unsupported versions are also affected

Description

  • A new vulnerability defined as Spring4shell CVE-2022-22965 was recently reported against the popular Java framework Spring Core on JDK9+
  • Other reported vulnerabilities -
    • CVE-2022-22963 (Spring Cloud) - In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources
      • ThingWorx and its platform components are not affected by this issue
    • CVE-2022-22950 (Spring Expression) - In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Spring Expression can lead to Denial of Service if not properly mitigated
      • ThingWorx and its platform components are not affected by this issue
  • These vulnerabilities, if not addressed, can allow remote code execution (RCE) which would permit attackers to execute arbitrary code on the machine and compromise the entire host
  • These are the requirements for the specific vulnerable scenario from the report:
    •     JDK 9 or higher
    •     Apache Tomcat as the Servlet container
    •     Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
    •     spring-webmvc or spring-webflux dependency
    •     Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • Note: The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet
This is a PDF version of Article CS366559 and may be out of date. For the latest version click https://www.ptc.com/en/support/article/CS366559