Scope of the vulnerability
As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
On 29/03/2022, a Chinese security researcher publicly posted a 0-day exploit for the Spring Core framework. This was subsequently deleted, but was already picked up by several other parties. This exploit was dubbed “Spring4Shell“.
Spring4Shell uses a vulnerable annotation RequestMapping in combination with Plain Old Java Objects. Due to this, an attacker could post a request with a malicious payload which enables a remote code execution (RCE) for the attacker to use on the compromised host.
This vulnerability (CVE-2022-22965) is the main focus of this threat advisory and not to be confused with CVE-2022-22963, which is a vulnerability in the Spring Cloud Function library.
Affected Versions
The vulnerability exists in the Spring core framework and the following requirements must be met:
- The application uses JDK version greater or equal to 9.0.
- The application uses the Spring Core framework up until v5.3.16 (latest version).
- The application uses form binding with name=value pairs instead of the message conversion system of JSON/XML.
Not affected
If on the running server of the organization system, the “java -version” command outputs a number less than or equal to 8, it is not affected by the vulnerability.
Mitigation
Spring Framework 5.3.18 and 5.2.20 have been released.
Both versions address the vulnerability and are already available on Maven Central.
Remediation
The developers of Spring who maintain the Spring Core Framework, have published a blogpost regarding suggested workarounds which can be used as temporary remediation. The workarounds can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#status
Detection
The bulk of attacks is related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
Successful Spring4Shell exploitation may be detected through reverse proxy logs.
Monitor incoming, allowed POST requests containing class., .classloader. or request.getParameter(*) as a reliable and quick detection rule.
The full payload as seen in the POC may provide additional detection opportunities:
- “class.module.classLoader.resources.context.parent.pipeline
- .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%
- 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt
- ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%
- 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20
- while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7
- D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context
- .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources
- .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl
- assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl
- ass.module.classLoader.resources.context.parent.pipeline.first.fileDat
- eFormat=”
Hunting
Post exploitation activity may be hunted for by monitoring suspicious traffic (f.e requests containing recon commands) to probable JSP webshells.
Threat advisory updates
This blog post will be continuously updated in case new findings are published.
Reach out to info@davinsi.com if you need any assistance from our team of security experts.
We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.
References
- SpringShell: Spring Core RCE 0-day Vulnerability
- GitHub – craig/SpringCore0day: SpringCore0day from https://share.vx-underground.org/
- Spring4Shell: Security Analysis of the latest Java RCE ‘0-day’ vulnerabilities in Spring | LunaSec
- Spring4Shell: Zero-Day Vulnerability in Spring Framework | Rapid7 Blog
- signature-base/expl_spring4shell.yar at master · Neo23x0/signature-base