Spring Data MongoDB hit by another critical SpEL injection flaw

Adam Bannister 05 July 2022 at 15:50 UTC

Bug mirrors recent SpEL injection vulnerability that emerged alongside ‘SpringShell’ issue

A critical SpEL injection vulnerability has been patched in Spring Data MongoDB, which provides object-document support and repositories for MongoDB.

The flaw (CVE-2022-22980) has been given a near-maximum CVSS score of 9.8.

Spring Data MongoDB, which is part of VMWare’s Spring project, integrates with MongoDB, a document-oriented NoSQL database platform with more than 26,800 customers.

RELATED Enfilade: Open source tool flags ransomware and bot infections in MongoDB instances

SpEL – or Spring Expression Language – supports the querying and manipulating of object graphs at runtime.

A security advisory published by VMware reads: “A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.”

The application is apparently not vulnerable if the repository is configured to use a that limits SpEL usage.

Updates, mitigations

This vulnerability was discovered by Zewei Zhang from NSFOCUS TIANJI Lab, who reported the issue on June 13, 2022. Spring released patched versions of Spring Data MongoDB, 3.4.1 and 3.3.5, only seven days later, on June 20.

The flaw affects versions 3.4.0, 3.3.0 to 3.3.4, as well as older, unsupported versions.

Read more of the latest Java security news

In lieu of updating the application, developers can protect themselves by rewriting query or aggregation declarations to use parameter references within the expression (for instance, using ‘[0]’ instead of ‘?0’).

Other mitigation steps include sanitizing parameters before calling the query method and reconfiguring the repository factory bean through a with a limited .

Local and web-based proof-of-concepts (POCs) for the flaw have emerged on GitHub.

Mis-SpEL

The Spring project addressed another critical SpEL injection vulnerability only in March, a remote code execution (RCE) flaw impacting the Spring Cloud computing framework.

Within days another, even more dangerous RCE bug emerged in the Spring Framework’s Java-based Core module. Dubbed ‘Spring4Shell’, this issue arose from a bypass of a legacy bug patched in 2010.

Days later and Microsoft and CISA were warning of ‘Spring4Shell’ exploitation in the wild, before it emerged that threat actors were leveraging the flaw as a vector for the spread of the Mirai botnet.

YOU MIGHT ALSO LIKE Gitlab patches critical RCE bug in latest security release