Updated on 2024-03-14 GMT+08:00

Java Spring Framework Remote Code Execution Vulnerability

Spring Framework is a lightweight open-source application framework for developing enterprise Java applications. A remote code execution (RCE) vulnerability was disclosed in the Spring framework and classified as critical. This vulnerability can be exploited to attack Java applications running on JDK 9 or later versions.

Vulnerability Name

Zero-Day RCE Vulnerability in the Spring Framework

Affected Versions

  • JDK 9 or later
  • Applications developed using the Spring Framework or derived framework

Mitigation

  1. Apply for Dedicated WAF Engine.
  2. Add the website domain name to WAF and connect it to WAF.

  3. In the Basic Web Protection configuration area, set Mode to Block. For details, see Configuring Basic Protection Rules to Defend Against Common Web Attacks.

    There are two types of malicious payload in this vulnerability. Whether to enable Header Inspection depends on the type of payloads in your services.

    • Type 1: Malicious payloads are included in submitted parameters. In this situation, Header Inspection can be disabled.
    • Type 2: Malicious payloads are included in a custom header field. In this situation, Header Inspection must be enabled to block attacks.

    Type 2 malicious payloads depend on Type 1 malicious payloads so whether to enable Header Inspection is determined by your service requirements.