Chemaxon’s response to CVE-2022-22965 and CVE-2022-22963

news · 7 months ago
by Gábor Pécsy

Summary of Chemaxon Actions:

Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-22965 (also referenced by other vendors as Spring4Shell / SpringShell) and CVE-2022-22963 and potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.

What is Spring4Shell?

Spring4Shell is a bug in Spring Core, a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, or as stand-alone applications with all the required dependencies. The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

CVE-2022-22965: Impact, Dangers and Mitigation

CVE-2022-22965 is a confirmed RCE vulnerability in Spring Core <=5.3.17 (for 5.3.x) and <=5.2.19 (for 5.2.x). This vulnerability is a class manipulation vulnerability and is currently being discussed publicly as Spring4Shell or SpringShell. It appears to be a bypass of protections set up for CVE-2010-1622 (http://blog.o0o.nu/2010/06/cve-2010-1622.html or https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds) Other mitigating factors will define whether or not a server running on Spring Core is vulnerable. Currently, the only verified-vulnerable instances require the use of Spring MVC or Spring WebFlux applications (spring-webmvc or spring-webflux) running under JDK version 9 and newer. Additionally, Spring Core needs to run under Apache Tomcat as a WAR deployment. JAR deployments are not currently known to be vulnerable.
Additionally, Class Loader Manipulation vulnerabilities can be very complicated and have many mitigating factors, so it's still unclear how many real-world implementations may be vulnerable or whether the scope of this vulnerability will expand to other implementations. Chemaxon is upgrading affected software to fixed versions in the next available release.

CVE-2022-22963: Impact, Dangers and Mitigation

CVE-2022-22963 is a second confirmed RCE vulnerability in Spring. However, rather than Spring Core, this affects Spring Cloud Function, which is not in the default Spring Framework. It affects Spring Cloud Function <=3.1.6 (for 3.1.x) and <=3.2.2 (for 3.2.x). This vulnerability affects the Spring Expression Language (SpEL). An attacker can pass arbitrary code to SpEL via a HTTP parameter named spring.cloud.function.routing-expression as that parameter goes unvalidated by the Cloud Function. This vulnerability is comparatively easier to exploit (subject to certain variables) and can be done via common tools like curl and Burp. However, it seems that the number of hosts using Spring Cloud Function is far fewer than Spring Core itself, which should limit the attack surface.

No Chemaxon product is currently affected by this instance.

Products affected

Chemaxon is taking prompt action to patch and mitigate the potential impact of this vulnerability on: Fixes have been published in frequent releases for the following affected products

  • Instant JChem / Connect fix comes with Iodine .3 hotfix
  • Chemlocator under review
  • Compliance Checker Under normal circumstances, it is unaffected. It can be affected in case the WAR files of the application are deployed into a standalone Tomcat container. In this case the 22.9.0 Frequent Release contains the fix.
  • Compound Registration both .war and docker releases are affected. Fix comes in: Krypton.1, Iodine.3, and the next frequent release, 22.11.0 .

Our Professional Services consultants are working with affected clients to mitigate risk in independently integrated projects.

Unaffected products

All other Chemaxon products remain unaffected.

Other mitigations

We also recommend customers check whether any other (non-Chemaxon) software they are running may be impacted and check in with applicable vendors for available patches.

AWS published the rules to add to WAF (Web Application Firewall) configurations that help preventing the attackers from exploiting these vulnerabilities:

Chemaxon deployed these changes to our WAFs.

Update

While investigating the original risk, a new vulnerability, CVE-2022-22968, has been identified. The fixes in Krypton.1 versions are still vulnerable to this, we are in the process of creating hotfixes. In Iodine and the Frequent Releases we will include the relevant fixes.

Next steps

Product development is working on fixing the vulnerabilities of the affected products, we handle this at the highest priority. We will continue to provide updates as necessary in this document.

Resources: