CVE-2021-22118
📋 TL;DR
This vulnerability allows a locally authenticated malicious user to escalate privileges in Spring Framework WebFlux applications by manipulating temporary storage directories. Attackers can read or modify uploaded files or overwrite arbitrary files with multipart request data. Affects Spring Framework versions 5.2.x prior to 5.2.15 and 5.3.x prior to 5.3.7.
💻 Affected Systems
- Spring Framework
- Applications using Spring WebFlux
📦 What is this software?
Communications Brm Elastic Charging Engine by Oracle
View all CVEs affecting Communications Brm Elastic Charging Engine →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Cloud Native Core Security Edge Protection Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →
Communications Cloud Native Core Service Communication Proxy by Oracle
View all CVEs affecting Communications Cloud Native Core Service Communication Proxy →
Communications Cloud Native Core Unified Data Repository by Oracle
View all CVEs affecting Communications Cloud Native Core Unified Data Repository →
Communications Diameter Intelligence Hub by Oracle
View all CVEs affecting Communications Diameter Intelligence Hub →
Communications Diameter Intelligence Hub by Oracle
View all CVEs affecting Communications Diameter Intelligence Hub →
Communications Interactive Session Recorder by Oracle
View all CVEs affecting Communications Interactive Session Recorder →
Communications Network Integrity by Oracle
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Communications Unified Inventory Management by Oracle
View all CVEs affecting Communications Unified Inventory Management →
Documaker by Oracle
Financial Services Analytical Applications Infrastructure by Oracle
View all CVEs affecting Financial Services Analytical Applications Infrastructure →
Hci by Netapp
Management Services For Element Software by Netapp
View all CVEs affecting Management Services For Element Software →
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file manipulation leading to arbitrary code execution, data theft, or service disruption.
Likely Case
Unauthorized access to sensitive uploaded files, modification of application data, or denial of service through file corruption.
If Mitigated
Limited impact with proper file permissions and isolation, but still potential for data leakage within application scope.
🎯 Exploit Status
Exploitation requires local authentication but is straightforward once authenticated. Public proof-of-concept code exists demonstrating the directory manipulation technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Spring Framework 5.2.15 or 5.3.7 and later
Vendor Advisory: https://tanzu.vmware.com/security/cve-2021-22118
Restart Required: Yes
Instructions:
1. Update Spring Framework dependency to version 5.2.15 or higher (for 5.2.x) or 5.3.7 or higher (for 5.3.x). 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.
🔧 Temporary Workarounds
Disable multipart file uploads
allIf file upload functionality is not required, disable multipart support in WebFlux configuration
spring.servlet.multipart.enabled=false
Use custom temporary directory with strict permissions
linuxConfigure WebFlux to use a dedicated temporary directory with restrictive permissions
spring.servlet.multipart.location=/secure/temp/dir
chmod 700 /secure/temp/dir
chown appuser:appgroup /secure/temp/dir
🧯 If You Can't Patch
- Implement strict file system permissions on temporary directories to limit access to application user only
- Monitor file system activity in temporary directories for unauthorized access or modification attempts
🔍 How to Verify
Check if Vulnerable:
Check Spring Framework version in pom.xml, build.gradle, or application dependencies. Verify if using WebFlux with version 5.2.0-5.2.14 or 5.3.0-5.3.6.Check Version:
mvn dependency:tree | grep spring-core OR gradle dependencies | grep spring-coreVerify Fix Applied:
Confirm Spring Framework version is 5.2.15+ or 5.3.7+ in dependencies. Test multipart file upload functionality to ensure it works with the patched version.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file access attempts in temporary directories
- Multiple failed file operations in WebFlux logs
- Suspicious directory creation/modification patterns
Network Indicators:
- Unusual multipart request patterns to WebFlux endpoints
- Large volume of file upload requests from single source
SIEM Query:
source="*spring*" AND ("multipart" OR "file upload") AND ("permission denied" OR "access denied" OR "directory creation")🔗 References
- https://security.netapp.com/advisory/ntap-20210713-0005/
- https://tanzu.vmware.com/security/cve-2021-22118
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20210713-0005/
- https://tanzu.vmware.com/security/cve-2021-22118
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
