cve-2022-22965(spring core rce 漏洞)造成的影响可能没有想象中大?

2022-04-01 10:24:33 +08:00
 yazinnnn

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://tanzu.vmware.com/security/cve-2022-22965

Vulnerability The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Am I Impacted? These are the requirements for the specific scenario from the report:

JDK 9 or higher Apache Tomcat as the Servlet container Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

需要打包成 war + jdk9+版本才会触发漏洞

新项目一般都是 jar 打包,老项目一般不用 jdk9+,是不是这个道理?

2833 次点击
所在节点    Java
9 条回复
XhstormR02
2022-04-01 10:31:38 +08:00
right 新架构都是 jar 包跑了 老架构还在用 jdk8 笑死
XhstormR02
2022-04-01 10:32:07 +08:00
但是不排除有其他利用方式 除了 tomcat
annt123
2022-04-01 10:35:03 +08:00
通杀的 POC 没放出来
Phoa
2022-04-01 10:38:11 +08:00
雷声大雨点小
chendy
2022-04-01 10:40:47 +08:00
总有人想搞个大新闻
dbpe
2022-04-01 11:28:13 +08:00
@annt123 spring 通杀?
lanyi96
2022-04-01 14:30:14 +08:00
不是,太片面了。jar 打包的只是无法写入 webshell,不代表没有其他方法 getshell 。
yedanten
2022-04-01 15:42:04 +08:00
jre9+这一个条件就注定了没多大波及面
v2orz
2022-04-01 16:01:19 +08:00
tomcat war 只是比较容易 getshell ,别的应该也可以

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/844249

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX