CVE-2021-22118 Overview
CVE-2021-22118 is a local privilege escalation vulnerability affecting VMware Spring Framework WebFlux applications. The vulnerability allows a locally authenticated malicious user to exploit insecure temporary storage directory handling to read, modify, or overwrite files associated with multipart request data processing.
In Spring Framework versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, WebFlux applications are vulnerable when handling multipart file uploads. By recreating the temporary storage directory used by the application, an attacker with local system access can gain unauthorized access to uploaded files or overwrite arbitrary files with attacker-controlled multipart request data.
Critical Impact
Local attackers can read sensitive uploaded data, modify application files, or overwrite arbitrary files on the system, potentially leading to data theft, application compromise, or further privilege escalation.
Affected Products
- VMware Spring Framework 5.2.x prior to 5.2.15
- VMware Spring Framework 5.3.x prior to 5.3.7
- Oracle Commerce Guided Search 11.3.2
- Oracle Communications BRM - Elastic Charging Engine 12.0.0.3
- Oracle Communications Cloud Native Core Binding Support Function 1.9.0
- Oracle Communications Cloud Native Core Policy 1.14.0
- Oracle MySQL Enterprise Monitor
- Oracle Retail Merchandising System 19.0.1
- NetApp HCI
- NetApp Management Services for Element Software
Discovery Timeline
- May 27, 2021 - CVE-2021-22118 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-22118
Vulnerability Analysis
This vulnerability stems from improper privilege management (CWE-269) and exposure of resources to the wrong sphere (CWE-668) in Spring Framework's WebFlux component. The attack requires local access to the system where the WebFlux application is running, meaning an attacker must already have some level of authenticated access to the host machine.
The vulnerability is particularly concerning in multi-tenant environments or shared hosting scenarios where multiple users have access to the same system. Once exploited, an attacker can compromise the confidentiality and integrity of data processed by the WebFlux application.
Root Cause
The root cause lies in the insecure handling of temporary storage directories used during multipart file upload processing in WebFlux applications. The framework does not properly protect the temporary directory from being recreated or accessed by other local users. This allows a malicious local user to:
- Identify or predict the temporary directory location used by the WebFlux application
- Delete and recreate the temporary directory with permissive access controls
- Gain read/write access to files stored in that directory during multipart processing
Attack Vector
The attack requires local access to the system running the vulnerable WebFlux application. An attacker who has authenticated access to the local system can exploit this vulnerability by manipulating the temporary storage directory. The attack flow involves:
- The attacker identifies a WebFlux application processing multipart uploads
- The attacker locates or predicts the temporary directory path
- The attacker removes and recreates the temporary directory with controlled permissions
- When legitimate users upload files, the attacker can read the uploaded content
- Alternatively, the attacker can place malicious files to be processed by the application
The local attack vector means this vulnerability cannot be directly exploited remotely over a network. However, in environments where attackers have compromised a low-privileged account, this vulnerability provides a path to escalate access to sensitive data.
Detection Methods for CVE-2021-22118
Indicators of Compromise
- Unexpected changes to temporary directory permissions or ownership in paths used by Spring WebFlux applications
- Unusual file system activity involving /tmp or application-specific temporary directories
- Log entries showing file access errors or permission changes during multipart upload processing
- Evidence of directory recreation events in file system audit logs
Detection Strategies
- Monitor file system events for deletion and recreation of temporary directories used by Java/Spring applications
- Implement file integrity monitoring on directories used for temporary file storage
- Configure security auditing to log permission changes on sensitive directories
- Review application logs for anomalous multipart upload handling errors
Monitoring Recommendations
- Enable file system auditing on temporary storage directories used by WebFlux applications
- Implement real-time alerting for directory permission modifications in application paths
- Monitor for suspicious local user activity around application file storage locations
- Review system authentication logs for unusual local access patterns
How to Mitigate CVE-2021-22118
Immediate Actions Required
- Upgrade Spring Framework 5.2.x installations to version 5.2.15 or later
- Upgrade Spring Framework 5.3.x installations to version 5.3.7 or later
- Review and restrict local user access on systems running WebFlux applications
- Audit temporary directory permissions and ownership
Patch Information
VMware has released patched versions of Spring Framework that address this vulnerability. Organizations should upgrade to Spring Framework 5.2.15 or later for the 5.2.x branch, or 5.3.7 or later for the 5.3.x branch. Oracle has also addressed this vulnerability in multiple Critical Patch Updates, including July 2021, October 2021, January 2022, April 2022, and July 2022. NetApp has also issued a security advisory for affected products.
For detailed information from VMware, refer to the VMware Security Advisory.
Workarounds
- Configure the WebFlux application to use a custom temporary directory with restrictive permissions
- Implement strict file system permissions on temporary directories (e.g., chmod 700 with application-specific ownership)
- Limit local user access to systems hosting WebFlux applications
- Consider using dedicated service accounts with minimal system privileges for Spring applications
# Example: Set restrictive permissions on temporary upload directory
mkdir -p /var/webflux-app/tmp
chown spring-app:spring-app /var/webflux-app/tmp
chmod 700 /var/webflux-app/tmp
# Configure Spring application to use secured temp directory
# Add to application.properties:
# spring.servlet.multipart.location=/var/webflux-app/tmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
