Cyber Resilience
April 5, 2022

Spring4Shell: Java vulnerabilities bounce back into the headlines

a col of people in different colorslong exposure image of man walking by blue panels

In late March 2022, a security researcher accidentally disclosed a zero-day vulnerability on Twitter that allowed for remote code execution in Java Spring web applications. The initial tweet was deleted, but researchers and others had already managed to copy and release the proof of concept (PoC).

This vulnerability quickly gained traction. Its aim was have as big an impression as Log4Shell, a massively impactful vulnerability in the ubiquitous logging library Log4j that was found just a few months before. Commonly referred to as Spring4Shell or SpringShell due to its similarity with Log4Shell, it was designated CVE-2022-22965.

A detailed analysis by PaloAlto identifies that the new vulnerability appears to be related to CVE-2010-1622, where a block list used to fix that bug can now be bypassed in Java versions 9 or later.

Let's take a closer look and see if it lives up to the hype.

Affected versions

The vulnerability was in spring-core and affects Spring on versions earlier than 5.3.18 or 5.2.20. However, there are also several required conditions that must be met to exploit this vulnerability:

  • Running a vulnerable version of Spring
  • Running Java version 9 or higher
  • Running Apache Tomcat
  • Deployed as a WAR, not a Spring Boot executable
  • Using spring-mvc or spring-webflux

These are not typically part of default conditions for code deployed in production.

This list is likely to change as more researchers find ways to bypass the known mitigation or requirements. So even if your applications don't match the requirements, you should prioritize patching.

Remediation

At the time the PoC was released there were no patches available. At the time of writing, patches have been released for the Spring framework that resolves the vulnerability and prevents further exploitation in the following versions:

  • 5.3.18
  • 5.2.20

There are also new versions of Spring Boot for these, including dependency upgrades, bug fixes, and other improvements. These versions are:

  • 2.6.6
  • 2.5.12

Tomcat has also released a security patch to remediate the vulnerability from the server-side by updating to a version newer than:

  • 9.0.62

Temporary remediation
It's not always possible to instantly update to a new version, and sometimes it can be useful to apply temporary mitigations until a patch is available. Praetorian has suggested additional mitigation to add an exclusion list to the Controller that prevents class types from being loaded.

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.WebDataBinder;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.InitBinder;



@ControllerAdvice

@Order(10000)

public class BinderControllerAdvice {



@InitBinder

public void setAllowedFields(WebDataBinder dataBinder) {

String denylist = new String{"class.*", "Class.*", "*.class.*", "*.Class.*"};

dataBinder.setDisallowedFields(denylist);

}



}

Exploited in the wild

So far there have only been sporadic, unconfirmed reports of this vulnerability being exploited in the wild. Due to the non-standard configuration required to exploit this vulnerability, security researchers are struggling to find vulnerable real-world applications.

Detection

Spring is a modern web application so it's possible to identify exploit attempts by reviewing the web logs. Most PoCs use the vulnerability to write a JSP shell. The class data is sent in a POST request and the post-exploit activity uses GET requests where logs are more likely to reveal signs of exploitation.

You can check web server logs for the following examples:

  • ?class.module
  • &id=<command>
  • cmd=<command>

Also, check any web servers for suspicious JSP files that aren’t part of the deployed web application. Examples include:

  • 0xd0m7.jsp
  • myshell.jsp
  • shell.jsp
  • tomcatwar.jsp
  • wpz.jsp

Try it yourself

Hot on the heels of Log4Shell, this vulnerability helps highlight the importance of having dependency management tooling in place. For example, software composition analysis tools can help proactively alert you to issues like this in your applications.

We’ve developed a series of labs to help you understand this vulnerability and exploit.

  • In the offensive/red team lab you learn about the exploit and use the PoC against a real vulnerable server
  • In the defensive/blue team lab you analyze log files to discover information about how the vulnerable server was exploited

In the application security lab you’ll look in depth at the code and experiment with mitigations to protect your server and application from exploitation while waiting for the updated packages

Mat Rollings
Interim AppSec SME
@stealthcopter

Trusted by top companies worldwide
to enhance cybersecurity

Trusted by some of the world’s biggest brands, we’re committed to taking your cybersecurity readiness to the next level - and we’re just getting started.

What Our Customers
Are Saying About Immersive

Realistic simulation of current threats is the only way to test and improve response readiness, and to ensure that the impact of a real attack is minimized. Immersive’s innovative platform, combined with Kroll’s extensive experience, provides the closest thing to replication of a real incident — all within a safe virtual environment.

Paul Jackson
Regional Managing Director, APAC Cyber Risk, Kroll

The speed at which Immersive produces technical content is hugely impressive, and this turnaround has helped get our teams ahead of the curve, giving them hands-on experience with serious vulnerabilities, in a secure environment, as soon as they emerge.

TJ Campana
Head of Global Cybersecurity Operations, HSBC

We no longer worry about managing infrastructure, leaving us free to build great courses.

Daniel Duggan
Director, Zero-Point Security

Ready to Get Started?
Get a Live Demo.

Simply complete the form to schedule time with an expert that works best for your calendar.