The exploit code for Spring4Shell was posted by a Chinese-speaking developer, which proved that threat actors could trigger RCE (Remote Code Execution) on target systems by leveraging the vulnerability. Security researchers now suspect that Spring4Shell is being exploited in the wild.
A Potentially Severe Vulnerability
The confusing situation began when a Chinese-speaking developer posted an exploit code for a zero-day software vulnerability in Spring.io’s Spring Core module of the Spring Framework. The exploit code was briefly published on GitHub and quickly deleted soon after, however, security researchers had already grabbed the data before it was gone. The vulnerability affects the SpringMVC and Spring WebFlux applications that run on JDK (Java open-source) 9+. A CVE (Common Vulnerability and Exposures public database) code CVE-2022-22965 was attributed to the vulnerability today and the vulnerability was given a CVSS score of 9.8, translating to extremely critical, proving that the POC (Proof-of-Concept) has shown real-world dangers. Simply put, a malicious external threat could send a basic HTTP POST (data binding) to a vulnerable application to remotely execute commands on the server. Spring4Shell can potentially affect many vulnerable real-world apps, vulnerability analyst Will Dormann added. The following prerequisites are required for the exploit: JDK 9 or higher, an Apache Tomcat as the Servlet container, WAR packaging, and a spring-webmvc or spring-webflux dependency, VMware noted. According to Rapid7, one payload possibility scenario via the SpringframeworkMVC is the alteration of the Tomcat server’s logging properties via ClassLoader, where the payload redirects logging logic to the “ROOT” directory and then drops the file and payload. Attackers can then start invoking remote commands. “We’re certain that malicious class loading payloads will appear quickly,” Rapid7 wrote.
Similarities to Log4Shell?
Spring4Shell “is being hyped and rumored to be as impactful as Log4Shell for the moment” due to the potential breadth of attack surfaces, Flashpoint intel remarked. This vulnerability does not seem to have the widespread impact as Log4Shell did, yet. The difference is that Log4Shell was vulnerable in the default configuration, while it seems Spring4Shell needs to be configured in a certain way to be vulnerable. On the other hand, some experts believe that Spring4Shell could eventually have worse consequences than Log4shell, which was weaponized for high-profile cyberattacks and was a severe risk to the entire internet — the remnants of which still linger across cyberspace. RCE zero-day vulnerabilities are considered to be the most dangerous form of software vulnerabilities because they are inherently severe and are exploited before developers have a chance to apply fixes. Furthermore, open-source libraries like those from Spring.io in this case are a favorite among cybercriminals because of how easy it is to compromise hundreds of thousands of targets at once. “The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it,” Spring’s parent company VMware stated.
Spring.io Has Released Emergency Fixes
Spring.io has released emergency fixes Spring Framework v. 5.3.18 and v. 5.2.20 to address the alarming situation. In addition, Spring Boot 2.6.6. can now be downloaded. The following Spring Framework versions are severely vulnerable;
Spring Framework 5.30 to 5.3.17 Spring Framework 5.2.0 to 5.2.19 Legacy versions are also affected
Mitigation Recommendations
Users of the affected versions above should apply the following steps: 5.3.x users should upgrade to 5.3.18 and above, while 5.2.x users should upgrade to 5.2.20 and above. GitHub user hillu has built a scanner to help users scan for vulnerable Spring Java web application libraries, which users can download. Furthermore, Spring.io recommends that everyone continues to watch their blog space for the latest Spring4Shell updates.
About Spring.io
Spring.io, a subsidiary of VMware, is a computer software company based in Palo Alto, California specializing in open-source flexible libraries that are trusted by developers all over the world. According to the official website, Spring is the world’s most popular Java framework.