V2EX = way to explore V2EX 是一个关于分享和探索的地方
Sign Up Now For Existing Member Sign In
This topic created in 1489 days ago, the information mentioned may be changed or developed.
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
Vulnerability The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Am I Impacted? These are the requirements for the specific scenario from the report:
JDK 9 or higher Apache Tomcat as the Servlet container Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
需要打包成 war + jdk9+版本才会触发漏洞
新项目一般都是 jar 打包,老项目一般不用 jdk9+,是不是这个道理?
 | 1 XhstormR02 Apr 1, 2022 via Android right 新架构都是 jar 包跑了 老架构还在用 jdk8 笑死 |
| 2 XhstormR02 Apr 1, 2022 via Android 是不排除有其他利用方式 除了 tomcat |
 | 3 annt123 Apr 1, 2022  1 通杀的 POC 没放出来 |
 | 4 Phoa Apr 1, 2022 雷声大雨点小 |
 | 5 chendy Apr 1, 2022 总有人想搞个大新闻 |
 | 7 lanyi96 Apr 1, 2022 不是,太片面了。jar 打包的只是无法写入 webshell,不代表没有其他方法 getshell 。 |
 | 8 yedanten Apr 1, 2022 via Android jre9+这一个条件就注定了没多大波及面 |
 | 9 v2orz Apr 1, 2022 tomcat war 只是比较容易 getshell ,别的应该也可以 |
Select Language