Forum Discussion

PSilva's avatar
PSilva
Ret. Employee
Mar 31, 2022

Mitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP

UPDATE from F5 Support: Mitigate the Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities with the BIG-IP system

You should consider using this procedure under the following condition:

  • You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system.

    Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available.

Description

You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963.

Prerequisites

You must meet the following prerequisite to use this procedure:

  • To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module.

Spring Framework RCE (Spring4Shell): CVE-2022-22965

Spring Framework DoS: CVE-2022-22950

Spring Cloud RCE: CVE-2022-22963

Impact

For products with None in the Versions known to be vulnerable column, there is no impact.

For products with ** in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue.

AskF5 Article - Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963

F5 Labs Article: What Are The Spring4Shell Vulnerabilities?