Spring Framework Vulnerability 2022 | Complete Guide

Spring is the most popular application development framework for enterprise Java. Millions of developers worldwide use Spring Framework to create high-performing, easily testable, and reusable code.

Spring framework is an open-source Java platform. It was initially written by Rod Johnson and was first released under the Apache 2.0 license in June 2003.

Spring is lightweight when it comes to size and transparency. The basic version of the spring framework is around 2MB.

The Spring Framework’s core features will be used in developing any Java application, but there are extensions for building web applications on top of the Java EE platform. In addition, the spring framework targets making J2EE development more straightforward to use and promoting good programming practices by enabling a POJO-based programming model.

Benefits of Using the Spring Framework:

Following is the list of a few of the great benefits of using Spring Framework

• Spring enables developers to develop enterprise-class applications using POJOs. Using only POJOs is that you do not need an EJB container product such as an application server. Still, you can use only a robust servlet container such as Tomcat or some commercial development.
• Spring is organised in a modular fashion. Therefore, even though the number of packages and classes is substantial, you have to worry only about the ones you need and ignore the rest.
• Spring does not reinvent the wheel; instead, it indeed uses some existing technologies like several ORM frameworks, logging frameworks, JEE, Quartz, JDK timers, and other view technologies.
• Testing an application written with Spring is simple because environment-dependent code will move into this framework. Furthermore, using JavaBeanstyle POJOs makes it easier to use dependency injection for injecting test data.
• Spring’s web framework is a well-designed MVC framework, which provides a great alternative to web frameworks such as Struts or other over-engineered or less popular web frameworks.
• Spring provides a convenient API to translate technology-specific exceptions (thrown by JDBC, Hibernate, or JDO) into consistent, unchecked exceptions.
• For example, lightweight IoC containers tend to be lightweight, especially when compared to EJB containers. This is beneficial for developing and deploying applications on computers with limited memory and CPU resources.
• Spring provides a consistent transaction management interface that can scale down to a local transaction (using a single database, for example) and scale up to global transactions (JTA, for example).

Dependency Injection (DI):

The technology that Spring is most identified with is the Dependency Injection (DI) flavour of Inversion of Control. The Inversion of Control (IoC) is a general concept that will express in many different ways. Dependency Injection is merely one concrete example of Inversion of Control.

When writing a complex Java application, application classes should be as independent as possible of other Java classes to increase the possibility of reusing and testing them independently of other classes during unit testing. Dependency Injection helps in glueing these classes together and, at the same time, keeping them independent.

What is dependency injection exactly? First, let’s look at these two words separately. Here the dependency part translates into an association between two classes. For example, class A is dependent on class B. Now, let’s look at the second part, injection. This means that class B will get injected into class A by the IoC.

Dependency injection can happen in the way of passing parameters to the constructor or by post-construction using setter methods. As Dependency Injection is the heart of Spring Framework, we will explain this concept in a separate chapter with relevant examples.

Summary

Offensive360 security team received a notice about a remote code execution vulnerability in the Spring Framework, named Spring4Shell as well as classified as critical.

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. In contrast, the specific exploit requires the application to run on Tomcat as a WAR deployment. If the application will deploy as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

The exploitation of this vulnerability could result in a web shell will install onto the compromised server that allows further command execution.

Impact

Spring Framework is a trendy Java development framework. Therefore millions of applications on the internet are developed using the Spring Framework.

Affected versions:

• Spring Framework 5.3.X < 5.3.18
• Spring Framework 5.2.X < 5.2.20
• Note: Other older versions will also affect.

Provided by Spring Framework

Spring Framework 5.3.18 as well as Spring Framework 5.2.20, are two secure versions

Solutions

Remediation Solution

1. Check the component version

Option 1

Search the system for spring beans. If spring-beans-{version}.jar exists, and the field inside the <version> tag is less than 5.3.18 or 5.2.20, it will affect by the vulnerability.

Option 2

If the project compiles using Maven, there will usually be a pom.xml in the project’s root directory.

Open the pom.xml file, as shown below:

Search for spring beans in this file. Similarly, if the spring beans are found, and the field inside the <version> tag is less than 5.3.18 or 5.2.20, it will affect by the vulnerability. (The version of spring beans in the image is 5.2.3, which will affect by the vulnerability.)

However, if spring beans are not found, it does not prove definitively that Spring Framework is not used.

2. Spring Framework Solution

Spring Framework has released a new version to fix this vulnerability. While affected users can download it from the following link:

https://github.com/spring-projects/spring-framework/tags

Note: Spring Framework 5.3.18, as well as Spring Framework 5.2.20, are two secure versions officially provided by Spring

1. Workaround

This workaround does not fix the issue altogether. However, users can decide whether to adopt the solution based on their business needs.

Perform the following steps:

1. Perform a full search for the @InitBinder annotation in the application to see if the dataBinder.setDisallowedFields method will call in the method body. While if the introduction of this code snippet will found, add {“class.*”,”Class.* to the original blacklist “,”*.class.*”, “*.Class.*”}.  (Note: If this code snippet will use a lot, it needs to append everywhere.)

2. Firstly, create the following global class under the project package of the application system, and make sure that this class will load by Spring (it will recommend to add it in the package where the Controller will locate). Secondly, the class will add that the project needs to recompile, package, and verify for functionality. Finally, republish the project.

import org.springframework.core.annotation.Order;
        import org.springframework.web.bind.WebDataBinder;
        import org.springframework.web.bind.annotation.ControllerAdvice;
        import org.springframework.web.bind.annotation.InitBinder;

@ControllerAdvice
        @Order(10000)
        public class GlobalControllerAdvice{
             @InitBinder
             public void setAllowedFields(webdataBinder dataBinder){
             String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"};
             dataBinder.setDisallowedFields(abd);
             }
        }

Note: On the running server of the business system, run the “java -version” command to check the running JDK version. If the version number is less than or equal to 8, it will not be affected by the vulnerability, as shown below:

The JDK version found in the above is 8, which is not affected by the vulnerability.

Offensive360 Solutions

No Offensive360 product or service uses the Spring Framework, and thus none of our products or services is affected by this vulnerability.

1. Offensive360 NGAF customers, please update NGAF security protection.
2. Offensive360 Cyber Command detects attacks that exploit this vulnerability and alerts users in real-time. Additionally, users can correlate Cyber Command with Offensive360 NGAF to block the attackers’ IP addresses.