Help Center/ Web Application Firewall/ Product Bulletin/ Java Spring Framework Remote Code Execution Vulnerability
Updated on 2022-10-26 GMT+08:00

Java Spring Framework Remote Code Execution Vulnerability

Spring Framework is a lightweight open-source application framework for developing enterprise Java applications. A remote code execution (RCE) vulnerability was disclosed in the Spring framework and classified as critical. This vulnerability can be exploited to attack Java applications running on JDK 9 or later versions.

Vulnerability Name

Zero-Day RCE Vulnerability in the Spring Framework

Affected Versions

  • JDK 9 or later
  • Applications developed using the Spring Framework or derived framework

Mitigation

  1. Buy WAF.
  2. Add the website domain name to WAF and connect it to WAF. For details, see Adding a Domain Name to WAF.
  3. In the Basic Web Protection configuration area, set Mode to Block. For details, see Configuring Basic Web Protection Rules.

    Figure 1 Basic Web Protection

    There are two types of malicious payload in this vulnerability. Whether to enable Header Inspection depends on the type of payloads in your services.

    • Type 1: Malicious payloads are included in submitted parameters. In this situation, Header Inspection can be disabled.
    • Type 2: Malicious payloads are included in a custom header field. In this situation, Header Inspection must be enabled to block attacks.

    Type 2 malicious payloads depend on Type 1 malicious payloads so whether to enable Header Inspection is determined by your service requirements.