Spring4shell – Critical Remote Code Execution in Spring Framework

Introduction

Ever since spring4shell came out in the news, the infosec community has been comparing it to the log4shell that took the internet by storm. Thankfully, it is less severe than log4shell and cannot be exploited everywhere unless certain conditions are met. Spring.io was quick enough to respond to this issue and acknowledge the zero day. Due to its quick actions, patches were released and workarounds were published to protect organizations around the globe.

History

A Chinese speaking researcher took the internet by storm on 30th March 2022 by publishing a github commit containing the PoC for exploitation of a zero day RCE in Spring framework.

People started speculating that this could be the next log4shell. The leaked exploit, which appears to allow unauthorized attackers to execute code on targeted systems, was quickly removed.

![Screenshot of PDF released by Chinese speaking researcher](https://payatu.com/static/images/remoteblogs/aamir.ahmed/spring4shell/exp-chinese.png)
Figure 1. Screenshot of PDF released by Chinese speaking researcher

What is the JAVA spring framework?

SpringCore is an open source application frame as well as an inversion of a control container
with basic functions that can use the basic functionality in Java applications. It is a widely used lightweight library because developers can build reliable applications quickly and effortlessly without having to worry about the deployment environment. More than 500 companies are reported to use spring in a technical stack.

Spring4shell CVE-2022-22965

Few media houses have confused it with CVE-2022-22963 which is a completely different vulnerability. Spring4shell is a remote code execution vulnerability in the Spring framework identified as CVE-2022-22965. The vulnerability influences Spring MVC and Spring WebFlux applications using JDK 9+. The available exploit requires the software to run on Tomcat as a WAR deployment. If the software is deployed as a Spring Boot executable jar, i.e. the default, it is not susceptible to the exploit.

Should I be worried ?

  • You should be worried if your system meets the following requirements:
  • Running JDK 9+
  • Apache Tomcat as the servlet container.
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.spring-webmvc or spring-webflux dependency.

Spring4shell PoC

The vulnerability has an impact on functions that use the POJO (Plain Old Java Object) parameters and @RequestMapping annotation. The payload alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload .

Payload for exploitation

Figure 2. Payload for exploitation

This payload drops a password protected webshell in the Tomcat ROOT directory called tomcatwar.jsp.

Lunasec has published a working PoC for a better understanding of this vulnerability.

You can also get your hands dirty by trying these Labs and PoCs published by Tauheed Khan.

Mitigation

  • Switch to spring framework 5.3.18 or 5.2.20
  • Upgrade to Apache tomcat versions 10.0.20, 9.0.62 or 8.5.78 which closes the attack vector on Tomcat’s side.
  • If your organization uses any kind of WAF, implement rule filtering for strings such as “class.“, “Class.“, “.class.“, and “.Class.” based on the inbound traffic peaks of deployed services.
  • You can also use one of the workarounds published on the official Spring website.
  • Read more on Spring4shell mitigation here.
  • Payatu maintains a series of blogs on different topics related to information security. Visit Payatu blogs to read more.

References

https://tanzu.vmware.com/security/cve-2022-22965

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://github.com/tweedge/springcore-0day-en

https://github.com/lunasec-io/Spring4Shell-POC

https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

https://github.com/cybersecurityworks553/spring4shell-exploit

About Payatu

Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.

Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by