What happened?
On March 29, 2022, A very old RCE (remote code execution) loophole tracked as CVE-2010-1622 was exposed in a series of Tweets. It affects most java projects using JDK 9+. This loophole enables attackers to exploit the server by executing a command on a server carried in a HTTP request.
Who should worry about this vulnerability?
If your project meets all conditions below, then you should take a serious look into this:
- JDK 9+
- Imported spring-webmvc dependency
- Deployed as WAR but not JAR
- Apache Tomcat as the Servlet container (the only container confirmed exploit currently)
How did this happen?
Before explaining more details, let’s first start with a simple API defined in SpringMVC controller.
@Controllerpublic class DemoController {
@PostMapping("/animals")
@ResponseBody
public Map<String, Object> importAnimalIntoZoo(Animal animal) {
HashMap<String, Object> response = new HashMap<>();
response.put("data", animal);
return response;
}
}
read more...
Top comments (2)
I had a customer present this CVE this week asking if I addressed this bug, even though my products aren't built Java I appreciate the additional context for responding to these InfoSec requests
Strange ...I'm actually surprised your example is vulnerable. I remember toying around with the original exploit example and it only worked if the parameter was anotated with
@ModelAttribute, as commented here ...I wonder what the difference is.