{"id":9841,"date":"2022-04-07T12:42:51","date_gmt":"2022-04-07T08:42:51","guid":{"rendered":"https:\/\/me.kaspersky.com\/blog\/?p=9841"},"modified":"2022-04-07T12:43:10","modified_gmt":"2022-04-07T08:43:10","slug":"spring4shell-critical-vulnerability-in-spring-java-framework","status":"publish","type":"post","link":"https:\/\/me.kaspersky.com\/blog\/spring4shell-critical-vulnerability-in-spring-java-framework\/9841\/","title":{"rendered":"Spring4Shell: \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062e\u0637\u064a\u0631\u0629 \u0641\u064a \u0625\u0637\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 Spring \u0627\u0644\u062e\u0627\u0635 \u0628\u0644\u063a\u0629 Java"},"content":{"rendered":"

\u0627\u0643\u062a\u0634\u0641 \u0627\u0644\u0628\u0627\u062d\u062b\u0648\u0646 \u062b\u063a\u0631\u0629 \u0623\u0645\u0646\u064a\u0629 \u062e\u0637\u064a\u0631\u0629 CVE-2022-22965<\/a> \u0641\u064a Spring \u0625\u0637\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0644\u0645\u0646\u0635\u0629 \u0644\u063a\u0629 Java.\u0648\u0644\u0644\u0623\u0633\u0641\u060c \u062a\u0645 \u062a\u0633\u0631\u064a\u0628 \u062a\u0641\u0627\u0635\u064a\u0644 \u0639\u0646 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0644\u0644\u062c\u0645\u0647\u0648\u0631 \u0642\u0628\u0644 \u0646\u0634\u0631 \u0627\u0644\u0625\u0639\u0644\u0627\u0646 \u0627\u0644\u0631\u0633\u0645\u064a \u0648\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u062a\u0635\u062d\u064a\u062d\u0627\u062a \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629.<\/p>\n

\u0627\u062c\u062a\u0630\u0628\u062a \u0647\u0630\u0647 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0647\u062a\u0645\u0627\u0645 \u0623\u062e\u0635\u0627\u0626\u064a\u064a \u0623\u0645\u0646 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0639\u0644\u0649 \u0627\u0644\u0641\u0648\u0631\u060c \u0644\u0623\u0646\u0647\u0627 \u0642\u062f \u062a\u0634\u0643\u0644 \u062a\u0647\u062f\u064a\u062f\u064b\u0627 \u062e\u0637\u064a\u0631\u064b\u0627 \u0644\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a. \u0648\u0639\u0644\u0649 \u063a\u0631\u0627\u0631 Log4Shell<\/a>\u060c \u0627\u0644\u0645\u064f\u0628\u0627\u0644\u064e\u063a \u0641\u064a \u0623\u0645\u0631\u0647\u0627\u060c \u0633\u064f\u0645\u064a\u062a \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062c\u062f\u064a\u062f\u0629 Spring4Shell.<\/p>\n

\u0623\u0635\u062f\u0631 \u0645\u0646\u0634\u0626\u0648 \u0625\u0637\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 VMware Spring \u0628\u0627\u0644\u0641\u0639\u0644 \u062a\u0635\u062d\u064a\u062d\u0627\u062a \u0644\u0625\u0635\u0644\u0627\u062d \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0627\u0644\u0645\u0639\u0631\u0636\u0629 \u0644\u0644\u062e\u0637\u0631\u060c \u0644\u0630\u0644\u0643 \u0646\u0648\u0635\u064a \u0628\u0623\u0646 \u062a\u0642\u0648\u0645 \u062c\u0645\u064a\u0639 \u0627\u0644\u0634\u0631\u0643\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0633\u062a\u062e\u062f\u0645 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u064a\u0646 5.3 \u06485.2 \u0645\u0646 Spring Framework \u0639\u0644\u0649 \u0627\u0644\u0641\u0648\u0631 \u0628\u0627\u0644\u062a\u0631\u0642\u064a\u0629 \u0625\u0644\u0649 \u0627\u0644\u0625\u0635\u062f\u0627\u0631\u064a\u0646 5.3.18 \u0623\u0648 5.2.20.<\/p>\n

\u0645\u0627 Spring4Shell\u061f \u0648\u0644\u0645\u0627\u0630\u0627 \u0647\u064a \u062b\u063a\u0631\u0629 \u0623\u0645\u0646\u064a\u0629 \u062e\u0637\u064a\u0631\u0629 \u0644\u0644\u063a\u0627\u064a\u0629 \u061f<\/h2>\n

\u062a\u0646\u062a\u0645\u064a \u0647\u0630\u0647 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0625\u0644\u0649 \u0641\u0626\u0629 RCE\u060c \u0623\u064a \u0623\u0646\u0647\u0627 \u062a\u0633\u0645\u062d \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0628\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062a\u0639\u0644\u064a\u0645\u0627\u062a \u0627\u0644\u0628\u0631\u0645\u062c\u064a\u0629 \u0627\u0644\u0636\u0627\u0631\u0629 \u0639\u0646 \u0628\u064f\u0639\u062f. \u0648\u062d\u0627\u0644\u064a\u064b\u0627 \u0641\u064a CVSS v3.0 Calculator<\/a>\u060c \u0635\u064f\u0646\u0641\u062a \u0634\u062f\u062a\u0647\u0627 \u0628\u062f\u0631\u062c\u0629 9.8 \u0645\u0646 \u0623\u0635\u0644 10.\u0648\u062a\u0624\u062b\u0631 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0639\u0644\u0649 \u062a\u0637\u0628\u064a\u0642\u0627\u062a Spring MVC \u0648Spring WebFlux \u0627\u0644\u062a\u064a \u062a\u0639\u0645\u0644 \u0628\u0645\u0648\u062c\u0628 Java Development Kit \u0627\u0644\u0625\u0635\u062f\u0627\u0631 9 \u0623\u0648 \u0627\u0644\u0623\u062d\u062f\u062b \u0645\u0646\u0647.<\/p>\n

\u0623\u0628\u0644\u063a \u0627\u0644\u0628\u0627\u062d\u062b\u0648\u0646 \u0639\u0646 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u0645\u0643\u062a\u0634\u0641\u0629 \u0641\u064a VMware \u0644\u064a\u0644\u0629 \u0627\u0644\u062b\u0644\u0627\u062b\u0627\u0621\u060c \u0648\u0644\u0643\u0646 \u062a\u0645 \u0646\u0634\u0631 \u0625\u062b\u0628\u0627\u062a \u0645\u0641\u0647\u0648\u0645 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0639\u0644\u0649 GitHub \u064a\u0648\u0645 \u0627\u0644\u0623\u0631\u0628\u0639\u0627\u0621.\u0648\u0642\u062f \u062a\u0645\u062a \u0625\u0632\u0627\u0644\u0629 \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 \u0628\u0633\u0631\u0639\u0629\u060c \u0648\u0644\u0643\u0646 \u0644\u064a\u0633 \u0642\u0628\u0644 \u0623\u0646 \u064a\u0644\u0627\u062d\u0638\u0647 \u062e\u0628\u0631\u0627\u0621 \u0627\u0644\u0623\u0645\u0646 (\u0627\u0644\u0630\u064a\u0646 \u0623\u0643\u062f \u0628\u0639\u0636\u0647\u0645 \u0639\u0644\u0649 \u062e\u0637\u0631 \u0627\u0644\u062b\u063a\u0631\u0629). \u0648\u0645\u0646 \u0627\u0644\u0645\u0633\u062a\u0628\u0639\u062f \u062c\u062f\u064b\u0627 \u0623\u0646 \u064a\u0643\u0648\u0646 \u0645\u062b\u0644 \u0647\u0630\u0627 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u0642\u0648\u064a \u0642\u062f \u0627\u062e\u062a\u0641\u0649 \u062f\u0648\u0646 \u0623\u0646 \u064a\u0644\u0627\u062d\u0638\u0647 \u0645\u062c\u0631\u0645\u0648 \u0627\u0644\u0625\u0646\u062a\u0631\u0646\u062a.<\/p>\n

\u064a\u062d\u0638\u0649 \u0625\u0637\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 Spring \u0628\u0634\u0639\u0628\u064a\u0629 \u0643\u0628\u064a\u0631\u0629 \u0628\u064a\u0646 \u0645\u0637\u0648\u0631\u064a Java\u060c \u0645\u0645\u0627 \u064a\u0639\u0646\u064a \u0623\u0646 \u0627\u0644\u0639\u062f\u064a\u062f \u0645\u0646 \u0627\u0644\u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0645\u0646 \u0627\u0644\u0645\u062d\u062a\u0645\u0644 \u0623\u0646 \u062a\u0643\u0648\u0646 \u0639\u0631\u0636\u0629 \u0644\u0644\u062e\u0637\u0631. \u0648\u0648\u0641\u0642\u064b\u0627 \u0644\u0645\u0646\u0634\u0648\u0631 Bleeping Computer<\/a>\u060c \u064a\u0645\u0643\u0646 \u0623\u0646 \u062a\u0635\u0628\u062d \u062a\u0637\u0628\u064a\u0642\u0627\u062a Java \u0627\u0644\u0645\u0639\u0631\u0636\u0629 \u0644\u062e\u0637\u0631 Spring4Shell \u0633\u0628\u0628\u064b\u0627 \u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0639\u062f\u062f \u0643\u0628\u064a\u0631 \u0645\u0646 \u0627\u0644\u062e\u0648\u0627\u062f\u0645.\u0648\u0639\u0644\u0627\u0648\u0629 \u0639\u0644\u0649 \u0630\u0644\u0643\u060c \u0648\u0648\u0641\u0642\u064b\u0627 \u0644\u0646\u0641\u0633 \u0627\u0644\u0645\u0646\u0634\u0648\u0631\u060c \u064a\u062a\u0645 \u0628\u0627\u0644\u0641\u0639\u0644 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0628\u0635\u0648\u0631\u0629 \u0646\u0634\u0637\u0629 \u0648\u0628\u0637\u0631\u064a\u0642\u0629 \u0639\u0646\u064a\u0641\u0629.<\/p>\n

\u064a\u0645\u0643\u0646 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 \u0627\u0644\u0645\u0632\u064a\u062f \u0645\u0646 \u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0641\u0646\u064a\u0629\u060c \u062c\u0646\u0628\u064b\u0627 \u0625\u0644\u0649 \u062c\u0646\u0628 \u0645\u0639 \u0645\u0624\u0634\u0631\u0627\u062a \u0627\u0644\u0627\u062e\u062a\u0631\u0627\u0642 \u0627\u0644\u0645\u062a\u0639\u0644\u0642\u0629 \u0628\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 Spring4Shell \u0641\u064a \u0645\u0646\u0634\u0648\u0631 \u0627\u0644\u0645\u062f\u0648\u0646\u0629 \u0641\u064a Securelist<\/a>. \u0648\u0647\u0646\u0627\u0643 \u0623\u064a\u0636\u064b\u0627 \u0648\u0635\u0641 \u0644\u062b\u063a\u0631\u0629 \u0623\u0645\u0646\u064a\u0629 \u062e\u0637\u064a\u0631\u0629 \u0623\u062e\u0631\u0649 \u0641\u064a \u0625\u0637\u0627\u0631 \u0627\u0644\u0639\u0645\u0644 Spring \u0627\u0644\u062e\u0627\u0635 \u0628\u0644\u063a\u0629 Java\u200f (CVE -2022-22963) \u0641\u064a \u0646\u0641\u0633 \u0627\u0644\u0645\u0646\u0634\u0648\u0631.<\/p>\n

\u0634\u0631\u0648\u0637 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 Spring4Shell\u200f<\/h2>\n

\u062a\u062a\u0637\u0644\u0628 \u0637\u0631\u064a\u0642\u0629 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 Spring4Shell \u0627\u0644\u0648\u062d\u064a\u062f\u0629 \u0648\u0627\u0644\u0645\u0639\u0631\u0648\u0641\u0629 \u0641\u064a \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631 \u0623\u0646 \u062a\u062c\u062a\u0645\u0639 \u0628\u0639\u0636 \u0627\u0644\u0638\u0631\u0648\u0641 \u0645\u0639\u064b\u0627 \u0628\u0637\u0631\u064a\u0642\u0629 \u0645\u0639\u064a\u0646\u0629. \u0648\u0644\u0643\u064a \u064a\u062a\u062d\u0642\u0642 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\u060c \u064a\u062c\u0628 \u0627\u0644\u0627\u0633\u062a\u0639\u0627\u0646\u0629 \u0628\u0627\u0644\u0645\u062d\u0627\u0648\u0631 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0645\u0646 \u062c\u0627\u0646\u0628 \u0627\u0644\u0645\u0647\u0627\u062c\u0645:<\/p>\n