Ever since spring4shell came out in the news, the infosec community has been comparing it to the log4shell that took the internet by storm. Thankfully, it is less severe than log4shell and cannot be exploited everywhere unless certain conditions are met. Spring.io was quick enough to respond to this issue and acknowledge the zero day. Due to its quick actions, patches were released and workarounds were published to protect organizations around the globe.
People started speculating that this could be the next log4shell. The leaked exploit, which appears to allow unauthorized attackers to execute code on targeted systems, was quickly removed.
What is the JAVA spring framework?
SpringCore is an open source application frame as well as an inversion of a control container
with basic functions that can use the basic functionality in Java applications. It is a widely used lightweight library because developers can build reliable applications quickly and effortlessly without having to worry about the deployment environment. More than 500 companies are reported to use spring in a technical stack.
Few media houses have confused it with CVE-2022-22963 which is a completely different vulnerability. Spring4shell is a remote code execution vulnerability in the Spring framework identified as CVE-2022-22965. The vulnerability influences Spring MVC and Spring WebFlux applications using JDK 9+. The available exploit requires the software to run on Tomcat as a WAR deployment. If the software is deployed as a Spring Boot executable jar, i.e. the default, it is not susceptible to the exploit.
Should I be worried ?
- You should be worried if your system meets the following requirements:
- Running JDK 9+
- Apache Tomcat as the servlet container.
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.spring-webmvc or spring-webflux dependency.
The vulnerability has an impact on functions that use the POJO (Plain Old Java Object) parameters and @RequestMapping annotation. The payload alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload .
Figure 2. Payload for exploitation
This payload drops a password protected webshell in the Tomcat ROOT directory called tomcatwar.jsp.
You can also get your hands dirty by trying these Labs and PoCs published by Tauheed Khan.
- Switch to spring framework 5.3.18 or 5.2.20
- Upgrade to Apache tomcat versions 10.0.20, 9.0.62 or 8.5.78 which closes the attack vector on Tomcat’s side.
- If your organization uses any kind of WAF, implement rule filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” based on the inbound traffic peaks of deployed services.
- You can also use one of the workarounds published on the official Spring website.
- Read more on Spring4shell mitigation here.
- Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.
Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.