mattlorimor-bnch
commented
2 years ago lol oops approved with my other account
Closed sullivanmatt closed 2 years ago
mattlorimor-bnch
commented
2 years ago lol oops approved with my other account
mattlorimor
commented
2 years ago Approved. Pending merge. Can't wait to find out what's wrong in our CI/CD this time!
mattlorimor
commented
2 years ago I am calm.
ajh0912
commented
2 years ago @sullivanmatt it appears that the email notification went out before Github pages had the URL live, for about 1-2 mins after I received the email (1928 UTC) it was returning 404. Not sure it this was down to CI/CD for Github pages generation, or just caching in front of Github pages.
mattlorimor
commented
2 years ago GitHub security researcher confirming ease of use: https://twitter.com/pwntester/status/1509235919106236416.
sullivanmatt
commented
2 years ago Mixture of human error on my part (I managed to put in an invalid datetime on the post) and a failure to have proper automation in place. We're going to spend some time getting a proper CI capability going soon and hopefully that will prevent such things in the future. Appreciate you reaching out though!
whimet
commented
2 years ago I read that this vulnerability is related to the DataBinder in Spring MVC which is usually used to handle application/x-www-form-urlencoded request, so what about application/json request which is handled by json deserialization library(e.g. Jackson)?
sullivanmatt
commented
2 years ago I must stress that my day job is not threat analysis, but I did take a pretty deep look at the proof of concept today and some of the technical literature around it, and my understanding at this time is that you would not be able to exploit a json endpoint like you are describing. There appears to be increasing consensus that exploitation requires a number of factors and configuration options be present all at once, the common thread being urlencoded POST bodies, as well as a somewhat non-standard way of invoking spring, such as putting it behind Tomcat.
whimet
commented
2 years ago Thanks @sullivanmatt for your opinion, I have the same understanding that JSON requests are unlikely to be affected, and would like to seek confirmation from people having more security knowledge.
Thelvaen
commented
2 years ago GitHub security researcher confirming ease of use: https://twitter.com/pwntester/status/1509235919106236416.
@mattlorimor Tweet has been deleted, if you have a screenshot of it.
jeremyp-synopsys
commented
2 years ago Blog post from Spring outlining the currently known requirements for vuln along, proposed code fixes, etc...
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Thelvaen
commented
2 years ago CVE-2022-22965 has been published.
mattlorimor
commented
2 years ago @Thelvaen - This is what it said.
Thelvaen
commented
2 years ago @mattlorimor thanks :)
Patch has been made available since.
See text for details. This post serves as the confirmation notice for https://github.com/BugAlertDotOrg/bugalert/pull/43