Introduction
Ever since spring4shell came out in the news, the infosec community has been comparing it to the log4shell that took the internet by storm. Thankfully, it is less severe than log4shell and cannot be exploited everywhere unless certain conditions are met. Spring.io was quick enough to respond to this issue and acknowledge the zero day. Due to its quick actions, patches were released and workarounds were published to protect organizations around the globe.
History
A Chinese speaking researcher took the internet by storm on 30th March 2022 by publishing a github commit containing the PoC for exploitation of a zero day RCE in Spring framework.
People started speculating that this could be the next log4shell. The leaked exploit, which appears to allow unauthorized attackers to execute code on targeted systems, was quickly removed.
Figure 1. Screenshot of PDF released by Chinese speaking researcher
What is the JAVA spring framework?
SpringCore is an open source application frame as well as an inversion of a control container
with basic functions that can use the basic functionality in Java applications. It is a widely used lightweight library because developers can build reliable applications quickly and effortlessly without having to worry about the deployment environment. More than 500 companies are reported to use spring in a technical stack.
Spring4shell CVE-2022-22965
Few media houses have confused it with CVE-2022-22963 which is a completely different vulnerability. Spring4shell is a remote code execution vulnerability in the Spring framework identified as CVE-2022-22965. The vulnerability influences Spring MVC and Spring WebFlux applications using JDK 9+. The available exploit requires the software to run on Tomcat as a WAR deployment. If the software is deployed as a Spring Boot executable jar, i.e. the default, it is not susceptible to the exploit.
Should I be worried ?
- You should be worried if your system meets the following requirements:
- Running JDK 9+
- Apache Tomcat as the servlet container.
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.spring-webmvc or spring-webflux dependency.
Spring4shell PoC
The vulnerability has an impact on functions that use the POJO (Plain Old Java Object) parameters and @RequestMapping annotation. The payload alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload .
Figure 2. Payload for exploitation
This payload drops a password protected webshell in the Tomcat ROOT directory called tomcatwar.jsp.
Lunasec has published a working PoC for a better understanding of this vulnerability.
You can also get your hands dirty by trying these Labs and PoCs published by Tauheed Khan.
Mitigation
- Switch to spring framework 5.3.18 or 5.2.20
- Upgrade to Apache tomcat versions 10.0.20, 9.0.62 or 8.5.78 which closes the attack vector on Tomcat’s side.
- If your organization uses any kind of WAF, implement rule filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” based on the inbound traffic peaks of deployed services.
- You can also use one of the workarounds published on the official Spring website.
- Read more on Spring4shell mitigation here.
- Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.
References
https://tanzu.vmware.com/security/cve-2022-22965
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://github.com/tweedge/springcore-0day-en
https://github.com/lunasec-io/Spring4Shell-POC
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
https://github.com/cybersecurityworks553/spring4shell-exploit
About Payatu
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.
