Information indicates that an RCE 0day vulnerability has been reported in the Spring Framework. If the target system is developed using Spring and has a JDK version above JDK9, an unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device.

1. Vulnerability Situation Analysis

The Spring framework is the most widely used lightweight open source framework for Java, and in the JDK9 version of the Spring framework (and above), a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path if certain conditions are met. file under any path.

2. the scope of the vulnerability affected by the affected version

  • JDK 9.0+
  • Spring framework and derivative framework spring-beans-*.jar exists

3. the vulnerability disposal recommendations

Temporary fix: The following two steps need to be followed simultaneously for the temporary fix of the vulnerability.

Step 1

Search the application group globally for the @InitBinder annotation and see if the dataBinder.setDisallowedFields method is called inside the method. If the introduction of this code snippet is found, add {"class.*", "Class.*", "*.class.*", "*.Class.*"} to the original black list. (Note: If this code snippet is used more often, it needs to be appended in each place)

Step 2

Create the following global class under the project package of the application system and make sure the class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After adding the class, you need to recompile and repackage the project and verify the functionality, and republish the project.

import org.sptingframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllezAdvice;
import org.springframework.web.bind.annotation.InitBinder;
public class Global ControllerAdvice {
    public void setAllowedFields(WebDataBinder dataBinder) {
        String[] abd = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};

Repair suggestion: No official security patch or latest version has been released yet. Affected customers can use a third-party firewall for defense.