Security News > 2022 > March > Two different “VMware Spring” bugs at large – we cut through the confusion
The CVE-2022-22963 bug exists in a Spring component called Spring Cloud Function, which is an optional module that you can use inside the Spring ecosystem to write your Spring code in what's known as a "Functional" style, where you strip back the code needed for data processing to a minimum.
Patching against the CVE-2022-22963 bug is easy: if you use the Spring Cloud Function module anywhere in your Spring-based ecosystem, upgrade to version 3.1.7 or 3.2.3, depending on which of the two officially supported branches of Spring Cloud Function you have.
The second bug can also lead to remote code execution, so could also be a vector for attackers to implant malware onto unpatched servers, but the bug is in a different part of the Spring code, and patching against the Spring Cloud Function hole won't stop this one.
According to the Spring team, there's also a Spring product bundle known as Spring Boot, which includes the Spring Framework component; they've also published updated Spring Boot versions numbered 2.5.12 and 2.6.6 that include the updated Spring Framework patches.
Patch early, patch often! Even if you think the risk of these bugs to your specific Spring setup is small, the excitement around these bugs is high right now, so why be behind when you can be ahead?
Upgrading to Spring Boot version 2.5.12 or 2.6.6 is a convenient way of getting the latest Spring Framework module, which is bundled into the latest Spring Boot package.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-01 | CVE-2022-22963 | Expression Language Injection vulnerability in multiple products In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | 9.8 |