Re: spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[Martin Grigorov]

Hi,

I don't think a normal Wicket application is vulnerable to this attack.
But I recommend you to update Spring in your applications anyway.

On Fri, Apr 1, 2022, 10:21 kyrindorx  wrote:

> Hello everyone,
>
> The internet developer community found a bug in
> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
> extent Wicket could be affected for this exploit? I think it should be a
> specific behavior with Spring and the servlet engine (Tomcat was used in
> the exploit), but Wicket is also a servlet-driven web framework.
>
> The exploit used a code injection block with "<% bad java code/cmds %>"
> and a beanintrospeaction via a rest service call. What is the opinion of
> the Wicket core team on this issue?
>
> Thanks in advance
> Daniel
>
>
> Sources:
> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
> (informed by github)
> https://tanzu.vmware.com/security/cve-2022-22965
> https://github.com/tweedge/springcore-0day-en

spring-bean RCE (indirect vulnerability of Servlet/jsp request get/post)

[kyrindorx]

Hello everyone,

The internet developer community found a bug in 
spring-beans/spring-webmvc on 03/30/2022. I would like to know to what 
extent Wicket could be affected for this exploit? I think it should be a 
specific behavior with Spring and the servlet engine (Tomcat was used in 
the exploit), but Wicket is also a servlet-driven web framework.


The exploit used a code injection block with "<% bad java code/cmds %>" 
and a beanintrospeaction via a rest service call. What is the opinion of 
the Wicket core team on this issue?


Thanks in advance
Daniel


Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 
(informed by github)

https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en