Spring is the most popular application development framework for enterprise Java. Millions of developers worldwide use Spring Framework to create high-performing, easily testable, and reusable code.
Spring framework is an open-source Java platform. It was initially written by Rod Johnson and was first released under the Apache 2.0 license in June 2003.
Spring is lightweight when it comes to size and transparency. The basic version of the spring framework is around 2MB.
The Spring Framework’s core features will be used in developing any Java application, but there are extensions for building web applications on top of the Java EE platform. In addition, the spring framework targets making J2EE development more straightforward to use and promoting good programming practices by enabling a POJO-based programming model.
Following is the list of a few of the great benefits of using Spring Framework
The technology that Spring is most identified with is the Dependency Injection (DI) flavour of Inversion of Control. The Inversion of Control (IoC) is a general concept that will express in many different ways. Dependency Injection is merely one concrete example of Inversion of Control.
When writing a complex Java application, application classes should be as independent as possible of other Java classes to increase the possibility of reusing and testing them independently of other classes during unit testing. Dependency Injection helps in glueing these classes together and, at the same time, keeping them independent.
What is dependency injection exactly? First, let’s look at these two words separately. Here the dependency part translates into an association between two classes. For example, class A is dependent on class B. Now, let’s look at the second part, injection. This means that class B will get injected into class A by the IoC.
Dependency injection can happen in the way of passing parameters to the constructor or by post-construction using setter methods. As Dependency Injection is the heart of Spring Framework, we will explain this concept in a separate chapter with relevant examples.
Offensive360 security team received a notice about a remote code execution vulnerability in the Spring Framework, named Spring4Shell
as well as classified as critical.
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. In contrast, the specific exploit requires the application to run on Tomcat as a WAR deployment. If the application will deploy as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
The exploitation of this vulnerability could result in a web shell will install onto the compromised server that allows further command execution.
Spring Framework is a trendy Java development framework. Therefore millions of applications on the internet are developed using the Spring Framework.
Spring Framework 5.3.18 as well as Spring Framework 5.2.20, are two secure versions
Option 1
Search the system for spring beans. If spring-beans-{version}.jar exists, and the field inside the <version> tag is less than 5.3.18 or 5.2.20, it will affect by the vulnerability.
Option 2
If the project compiles using Maven, there will usually be a pom.xml in the project’s root directory.
Open the pom.xml file, as shown below:
Search for spring beans in this file. Similarly, if the spring beans are found, and the field inside the <version> tag is less than 5.3.18 or 5.2.20, it will affect by the vulnerability. (The version of spring beans in the image is 5.2.3, which will affect by the vulnerability.)
However, if spring beans are not found, it does not prove definitively that Spring Framework is not used.
Spring Framework has released a new version to fix this vulnerability. While affected users can download it from the following link:
https://github.com/spring-projects/spring-framework/tags
Note: Spring Framework 5.3.18, as well as Spring Framework 5.2.20, are two secure versions officially provided by Spring
This workaround does not fix the issue altogether. However, users can decide whether to adopt the solution based on their business needs.
1. Perform a full search for the @InitBinder annotation in the application to see if the dataBinder.setDisallowedFields method will call in the method body. While if the introduction of this code snippet will found, add {“class.*”,”Class.* to the original blacklist “,”*.class.*”, “*.Class.*”}. (Note: If this code snippet will use a lot, it needs to append everywhere.)
2. Firstly, create the following global class under the project package of the application system, and make sure that this class will load by Spring (it will recommend to add it in the package where the Controller will locate). Secondly, the class will add that the project needs to recompile, package, and verify for functionality. Finally, republish the project.
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class GlobalControllerAdvice{
@InitBinder
public void setAllowedFields(webdataBinder dataBinder){
String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"};
dataBinder.setDisallowedFields(abd);
}
}
Note: On the running server of the business system, run the “java -version” command to check the running JDK version. If the version number is less than or equal to 8, it will not be affected by the vulnerability, as shown below:
The JDK version found in the above is 8, which is not affected by the vulnerability.
No Offensive360 product or service uses the Spring Framework, and thus none of our products or services is affected by this vulnerability.
Utrechtseweg 341,
Amersfoort, Utrecht
3818 EL, NL
© Copyright Offensive 360