Spring4shell (CVE-2022-22965) Explained:
On March 30, 2022, a security researcher published a proof-of-concept exploit code that targets a zero-day vulnerability in the Spring Core module of the Spring Framework, which led to an unauthenticated remote code execution (RCE).
The Spring4Shell Vulnerability was found in Spring Framework which is a very common open-source application framework for the Java platform with enterprise-focus features. The initial release occured on October 1, 2002. At the time of this publication, the main repository has over 33.2k forks and 46.9k stars on GitHub. The developed applications can be deployed on servers, such as Apache Tomcat, or as stand-alone packages with all the required dependencies.
As Cynet is aware of emerging threats and vulnerabilities, we’ve confirmed that the Cynet360 platform is not affected by the Spring4Shell vulnerability or any of its components.
Some may be confusing this vulnerability with the Spring Cloud Function vulnerability (CVE-2022-22963), which was disclosed on March 29. An additional vulnerability which was disclosed this week is Spring Expression DoS Vulnerability (CVE-2022-22950). Both vulnerabilities were patched immediately, and they have no relation to the current Spring4Shell vulnerability.
The current known way of exploitation (based on a technique from 2014), requires several preconditions for successful exploitation (according to VMWare).
The exploit abuses the fact that when Spring is deployed as “.war” on Tomcat, the `WebAppClassLoader` has accessible getters and setters. When used:
Unlike Log4Shell, where the attackers needed to find a vulnerable parameter that will be logged, all the attacker needs to do is find an endpoint that uses the @RequestMapping annotation and has a Plain Old Java Object (POJO). Meaning that they don’t need methods, only data members’ parameters.
As of March 31, 2022, Spring Framework versions 5.3.18 and 5.2.20 have been released to address CVE-2022-22965 (Spring4Shell).
Cynet continues to monitor the Spring4Shell vulnerability and will give updates on any developments and measures that need to be taken to mitigate the threat caused by it.
Our research group is also working around the clock to add detection logic and capabilities against this vulnerability.
Cynet customers should enable the following settings to protect against this vulnerability:
Customers aligned with Cynet’s Best Protection Practices already have these settings enabled and no additional action is required.
The CyOps team is available 24/7 for any question or concern and will gladly assist with timely resolution to any issue.
Ready to extend visibility, threat detection and response?