Scope of the vulnerability
As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
On 29/03/2022, a Chinese security researcher publicly posted a 0-day exploit for the Spring Core framework. This was subsequently deleted, but was already picked up by several other parties. This exploit was dubbed “Spring4Shell“.
Spring4Shell uses a vulnerable annotation RequestMapping in combination with Plain Old Java Objects. Due to this, an attacker could post a request with a malicious payload which enables a remote code execution (RCE) for the attacker to use on the compromised host.
This vulnerability (CVE-2022-22965) is the main focus of this threat advisory and not to be confused with CVE-2022-22963, which is a vulnerability in the Spring Cloud Function library.
The vulnerability exists in the Spring core framework and the following requirements must be met:
- The application uses JDK version greater or equal to 9.0.
- The application uses the Spring Core framework up until v5.3.16 (latest version).
- The application uses form binding with name=value pairs instead of the message conversion system of JSON/XML.
If on the running server of the organization system, the “java -version” command outputs a number less than or equal to 8, it is not affected by the vulnerability.
Spring Framework 5.3.18 and 5.2.20 have been released.
Both versions address the vulnerability and are already available on Maven Central.
The developers of Spring who maintain the Spring Core Framework, have published a blogpost regarding suggested workarounds which can be used as temporary remediation. The workarounds can be found here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#status
The bulk of attacks is related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
Successful Spring4Shell exploitation may be detected through reverse proxy logs.
Monitor incoming, allowed POST requests containing class., .classloader. or request.getParameter(*) as a reliable and quick detection rule.
The full payload as seen in the POC may provide additional detection opportunities:
Post exploitation activity may be hunted for by monitoring suspicious traffic (f.e requests containing recon commands) to probable JSP webshells.
Threat advisory updates
This blog post will be continuously updated in case new findings are published.
Reach out to firstname.lastname@example.org if you need any assistance from our team of security experts.
We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.