Spring framework is found to have a Remote Code Execution (RCE) flaw. This vulnerability, if exploited successfully, will let the attacker take control of the targeted system. Fortunately, the team behind the framework was successfully able to release a patch to address the flaw.
What makes Spring4Shell vulnerability (CVE-2022-22965) very dangerous is the leverage it gives to an unauthorized user. It is named Spring4shell due to its resemblance to the old threat log4shell. Many researchers believe this could have been worse than log4shell. This vulnerability impacts the spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older versions. The patch is available in versions 5.3.18 or later and 5.2.20.
What is Spring framework?
Spring is a popular application development framework for Java, used by millions of developers across the world. What adds the most value to it is that it is an open-source platform.
Spring can be used to build websites and applications and there exist millions of sites on the internet that runs on the spring framework which potentially increases the attack surface.
CVE 2022-22965
You should not get confused this vulnerability with another vulnerability (CVE-2022-22963) that was disclosed at almost the same time in a component called the spring cloud function allowing code injection through Spring Expression language. This vulnerability, found in the Spring Cloud Function versions 3.1.6, 3.2.2, and below, does not impact the Spring core, but Spring4Shell does. But both the vulnerabilities can be used for remote code execution.
Spring4shell vulnerability, affecting the Spring core, allows attackers to send a custom-built HTTP request to bypass the security measures in the HTTP request parser and leads to remote code execution. The bug exists in the getCachedIntrospectionResults method to gain unauthorized access. When special object classes are used, it creates a risk of data leakage and remote code execution.
This vulnerability is easy for the bad actors to exploit if they can find vulnerable versions in the production environment.
Check whether you are vulnerable or not:
You are vulnerable if:
- You are using Spring framework versions 5.3.17 and below, 5.2.19, and below.
- Your app runs on Java 9+
- You have Apache Tomcat for serving the application
- You built applications as WAR files
- You use form binding with name=value pairs and not using Spring’s more popular message conversion of JSON/XML
- You don’t use an allowlist or you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
It is a toiling process for the development team to manually check the entire source code. Using a Software Composition Analysis (SCA) tool. An SCA tool enables you to analyze and manage the open-source elements of your applications.
It scans your source code repositories and figures out all the open-source components that are used to build your application. So, when a new vulnerability comes up, you can immediately verify whether you are using the vulnerable component.
How to mitigate the issue:
There are many PoCs available for the Spring4Shell vulnerability. As this is a new vulnerability and more exploits can be expected in the coming days and the one thing that you need to do to keep your application secured is to stay updated and patch.
How Clear Infosec can help:
Talk to our industry-leading security experts in order to keep your applications protected. Review your source codes and much more offerings and integrate security into every layer of your application development cycle.