Researchers found a critical vulnerability in Spring4Shell, a popular Java framework. Here’s how it works, why it’s dangerous, and how to protect from it. Researchers have discovered a critical vulnerability CVE-2022-22965, in Spring, an open-source framework for the Java platform. Unfortunately, details about the vulnerability were leaked to the public before the official announcement was published as well as the relevant patches were released.
The vulnerability immediately attracted the attention of information security specialists, as it potentially poses a serious threat to many web applications. In resemblance to the overhyped Log4Shell, the new vulnerability's name is Spring4Shell.
The creators of the VMware Spring framework have already released patches to fix vulnerable applications. So we recommend that all companies using Spring Framework versions 5.3 and 5.2 immediately upgrade to versions 5.3.18 or 5.2.20.
What is Spring4Shell and why this vulnerability is so dangerous?
The vulnerability belongs to the RCE class, that is, it allows an attacker to remotely execute malicious code. At the moment, according to the CVSS v3.0 calculator, its severity is 9.8 out of 10. The vulnerability affects Spring MVC as well as Spring WebFlux applications running under Java Development Kit version 9 or later.
Researchers report the discovered vulnerability to VMware on Tuesday night. But already on Wednesday proof of concept for the vulnerability will publish on GitHub. The PoC will quickly remove. But not until it will notice by security experts (some of whom confirmed the danger of the vulnerability). And it’s very unlikely that such a potent exploit has gone unnoticed by cybercriminals.
The Spring framework is quite popular among Java developers, which means that potentially many applications could be vulnerable. According to a post by Bleeping Computer, Java applications vulnerable to Spring4Shell could become a cause of compromise for a huge number of servers. Moreover, according to the same post, the vulnerability is already being actively exploited in the wild.
How Spring4Shell Vulnerability Works
There are several PoCs of the Spring4 shell vulnerability already available. Most of them will fork or inspire by this GitHub repository.
The exploit relies on a specially crafted HTTP request that abuses how Spring’s RequestMapping interface interprets and parses web request query parameters. This interface maps incoming web requests onto the appropriate methods for handling.
The Spring4Shell vulnerability lies in the RequestMapping interface’s filtering mechanism for user-supplied data. Attacks exploiting Spring4Shell supply a payload using Module.getClassLoader(). This allows an attacker to load an arbitrary malicious class that the server must parse. Therefore vulnerable versions of Spring did not filter this attack path, which leads to the exploit.
Conditions for exploiting a Spring4Shell vulnerability
The only Spring4Shell exploitation method known at the time of publication requires a specific confluence of circumstances. For the exploit to be successful, the following components will utilize on the attacked side:
- Java Development Kit version 9 or later;
- Apache Tomcat as a servlet container;
- WAR (Web Application Resource) file format instead of default JAR;
- Dependencies on spring-web MVC or spring-web flux;
- Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or older.
However, it’s quite possible that there are more yet unknown options of exploitation. The very same vulnerability can exploit in some other way.
How to Protect Yourself from Spring4Shell
The main advice for anyone who uses the Spring framework is to upgrade to secure versions 5.3.18 or 5.2.20.
The Apache Software Foundation will also release patched versions of Apache Tomcat 10.0.20, 9.0.62, and 8.5.78, in which the attack vector will close on the Tomcat side.
The Spring developers have also released patched versions of the Spring Boot 2.5.12 and 2.6.6 extensions that depend on the patched version of Spring Framework 5.3.18.
If for some reason you cannot update the above software, then you should use one of the workarounds published on the official Spring website.
To remediate the vulnerability, ensure your deployments of the Spring framework are running a version equal to or greater than 5.3.18 or 5.2.20.
In Maven, you can upgrade by adding the following entry to your POM file:
<properties>
<spring-framework.version>5.3.18</spring-framework.version>
</properties>In Gradle, add:
ext['spring-framework.version'] = '5.3.18'If you are not able to upgrade, we recommend applying Spring’s workaround to mitigate the risk of an exploit.
Is the Offensive360 platform Vulnerable to SpringShell?
After conducting internal research. We can confirm that the Offensive360 platform is not vulnerable to SpringShell (CVE-2022-22965). The recent RCE vulnerability in Spring Cloud Function (CVE-2022-22963).
How Can We Use Offensive360 Xray to Detect the SpringShell Vulnerability?
Offensive360 Artifactory can detect artifacts that are vulnerable to the SpringShell vulnerability. For any support artifact type, and are augmented with detailed research data and mitigations. Read our remediation how-to blog post to learn how to best use the Offensive360 Platform to find, fix, and fortify your software supply chain.
