spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[kyrindorx <ky...@gmail.com>]

Hello everyone,

The internet developer community found a bug in 
spring-beans/spring-webmvc on 03/30/2022. I would like to know to what 
extent Wicket could be affected for this exploit? I think it should be a 
specific behavior with Spring and the servlet engine (Tomcat was used in 
the exploit), but Wicket is also a servlet-driven web framework.

The exploit used a code injection block with "<% bad java code/cmds %>" 
and a beanintrospeaction via a rest service call. What is the opinion of 
the Wicket core team on this issue?

Thanks in advance
Daniel


Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 
(informed by github)
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en

Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[kyrindorx <ky...@gmail.com>]

Thank you for your advice and help :)

Am 05.04.2022 um 21:54 schrieb Andrea Del Bene:
> Also it is worth mentioning that we have an upcoming version (9.9.1) 
> that has Spring core dependency updated to 5.3.18
>
> On 05/04/22 21:47, Martin Grigorov wrote:
>> On Tue, Apr 5, 2022, 13:18 kyrindorx <ky...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Thank you for the first answer of this issue. I have also a question
>>> about https://github.com/MarcGiffing/wicket-spring-boot and a 
>>> upgrade of
>>> spring-beans or spring in general. Do you have good idea upgrade spring
>>> to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot?
>>> I'll thankful for any hints :)
>>>
>> Just update/overwrite the Spring version in your pom.xml and all 
>> should be
>> fine!
>>
>>
>>> Background:
>>>
>>> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>>>
>>>
>>> Greets
>>> Daniel
>>>
>>>
>>> Am 01.04.2022 um 20:17 schrieb Martin Grigorov:
>>>> Hi,
>>>>
>>>> I don't think a normal Wicket application is vulnerable to this 
>>>> attack.
>>>> But I recommend you to update Spring in your applications anyway.
>>>>
>>>> On Fri, Apr 1, 2022, 10:21 kyrindorx<ky...@gmail.com>  wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> The internet developer community found a bug in
>>>>> spring-beans/spring-webmvc on 03/30/2022. I would like to know to 
>>>>> what
>>>>> extent Wicket could be affected for this exploit? I think it 
>>>>> should be a
>>>>> specific behavior with Spring and the servlet engine (Tomcat was 
>>>>> used in
>>>>> the exploit), but Wicket is also a servlet-driven web framework.
>>>>>
>>>>> The exploit used a code injection block with "<% bad java 
>>>>> code/cmds %>"
>>>>> and a beanintrospeaction via a rest service call. What is the 
>>>>> opinion of
>>>>> the Wicket core team on this issue?
>>>>>
>>>>> Thanks in advance
>>>>> Daniel
>>>>>
>>>>>
>>>>> Sources:
>>>>> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>>>>> (informed by github)
>>>>> https://tanzu.vmware.com/security/cve-2022-22965
>>>>> https://github.com/tweedge/springcore-0day-en
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[Andrea Del Bene <an...@gmail.com>]

Also it is worth mentioning that we have an upcoming version (9.9.1) 
that has Spring core dependency updated to 5.3.18

On 05/04/22 21:47, Martin Grigorov wrote:
> On Tue, Apr 5, 2022, 13:18 kyrindorx <ky...@gmail.com> wrote:
>
>> Hi,
>>
>> Thank you for the first answer of this issue. I have also a question
>> about https://github.com/MarcGiffing/wicket-spring-boot and a upgrade of
>> spring-beans or spring in general. Do you have good idea upgrade spring
>> to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot?
>> I'll thankful for any hints :)
>>
> Just update/overwrite the Spring version in your pom.xml and all should be
> fine!
>
>
>> Background:
>>
>> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>>
>>
>> Greets
>> Daniel
>>
>>
>> Am 01.04.2022 um 20:17 schrieb Martin Grigorov:
>>> Hi,
>>>
>>> I don't think a normal Wicket application is vulnerable to this attack.
>>> But I recommend you to update Spring in your applications anyway.
>>>
>>> On Fri, Apr 1, 2022, 10:21 kyrindorx<ky...@gmail.com>  wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> The internet developer community found a bug in
>>>> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
>>>> extent Wicket could be affected for this exploit? I think it should be a
>>>> specific behavior with Spring and the servlet engine (Tomcat was used in
>>>> the exploit), but Wicket is also a servlet-driven web framework.
>>>>
>>>> The exploit used a code injection block with "<% bad java code/cmds %>"
>>>> and a beanintrospeaction via a rest service call. What is the opinion of
>>>> the Wicket core team on this issue?
>>>>
>>>> Thanks in advance
>>>> Daniel
>>>>
>>>>
>>>> Sources:
>>>> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>>>> (informed by github)
>>>> https://tanzu.vmware.com/security/cve-2022-22965
>>>> https://github.com/tweedge/springcore-0day-en

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[Martin Grigorov <mg...@apache.org>]

On Tue, Apr 5, 2022, 13:18 kyrindorx <ky...@gmail.com> wrote:

> Hi,
>
> Thank you for the first answer of this issue. I have also a question
> about https://github.com/MarcGiffing/wicket-spring-boot and a upgrade of
> spring-beans or spring in general. Do you have good idea upgrade spring
> to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot?
> I'll thankful for any hints :)
>

Just update/overwrite the Spring version in your pom.xml and all should be
fine!


> Background:
>
> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>
>
> Greets
> Daniel
>
>
> Am 01.04.2022 um 20:17 schrieb Martin Grigorov:
> > Hi,
> >
> > I don't think a normal Wicket application is vulnerable to this attack.
> > But I recommend you to update Spring in your applications anyway.
> >
> > On Fri, Apr 1, 2022, 10:21 kyrindorx<ky...@gmail.com>  wrote:
> >
> >> Hello everyone,
> >>
> >> The internet developer community found a bug in
> >> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
> >> extent Wicket could be affected for this exploit? I think it should be a
> >> specific behavior with Spring and the servlet engine (Tomcat was used in
> >> the exploit), but Wicket is also a servlet-driven web framework.
> >>
> >> The exploit used a code injection block with "<% bad java code/cmds %>"
> >> and a beanintrospeaction via a rest service call. What is the opinion of
> >> the Wicket core team on this issue?
> >>
> >> Thanks in advance
> >> Daniel
> >>
> >>
> >> Sources:
> >> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
> >> (informed by github)
> >> https://tanzu.vmware.com/security/cve-2022-22965
> >> https://github.com/tweedge/springcore-0day-en

Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[kyrindorx <ky...@gmail.com>]

Hi,

Thank you for the first answer of this issue. I have also a question 
about https://github.com/MarcGiffing/wicket-spring-boot and a upgrade of 
spring-beans or spring in general. Do you have good idea upgrade spring 
to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot? 
I'll thankful for any hints :)

Background:

https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751


Greets
Daniel


Am 01.04.2022 um 20:17 schrieb Martin Grigorov:
> Hi,
>
> I don't think a normal Wicket application is vulnerable to this attack.
> But I recommend you to update Spring in your applications anyway.
>
> On Fri, Apr 1, 2022, 10:21 kyrindorx<ky...@gmail.com>  wrote:
>
>> Hello everyone,
>>
>> The internet developer community found a bug in
>> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
>> extent Wicket could be affected for this exploit? I think it should be a
>> specific behavior with Spring and the servlet engine (Tomcat was used in
>> the exploit), but Wicket is also a servlet-driven web framework.
>>
>> The exploit used a code injection block with "<% bad java code/cmds %>"
>> and a beanintrospeaction via a rest service call. What is the opinion of
>> the Wicket core team on this issue?
>>
>> Thanks in advance
>> Daniel
>>
>>
>> Sources:
>> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
>> (informed by github)
>> https://tanzu.vmware.com/security/cve-2022-22965
>> https://github.com/tweedge/springcore-0day-en

Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[Martin Grigorov <mg...@apache.org>]

Hi,

I don't think a normal Wicket application is vulnerable to this attack.
But I recommend you to update Spring in your applications anyway.

On Fri, Apr 1, 2022, 10:21 kyrindorx <ky...@gmail.com> wrote:

> Hello everyone,
>
> The internet developer community found a bug in
> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
> extent Wicket could be affected for this exploit? I think it should be a
> specific behavior with Spring and the servlet engine (Tomcat was used in
> the exploit), but Wicket is also a servlet-driven web framework.
>
> The exploit used a code injection block with "<% bad java code/cmds %>"
> and a beanintrospeaction via a rest service call. What is the opinion of
> the Wicket core team on this issue?
>
> Thanks in advance
> Daniel
>
>
> Sources:
> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
> (informed by github)
> https://tanzu.vmware.com/security/cve-2022-22965
> https://github.com/tweedge/springcore-0day-en