• Home
  • |
  • Blog
  • |
  • How To Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability In Spring Framework (CVE-2022-22965)
How to Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability in Spring Framework CVE-2022-22965(4)

There is another critical vulnerability doubted Spring4Shell is out that could cause severe damage to tonnes of applications. The vulnerability is assigned a CVE ID CVE-2022-22965 a couple of days after making some noise with the leak of Proof of Concept on the internet since 29th Mar 2022. The vulnerability is rated 9.8 out of 10 as per the CVSS scoring system and is considered critical since it allows attackers to perform remote code execution on the JDK version greater or equal to 9.0. Considering its severity, leak of PoC, prevalence, and exploitative nature, it is a must to know information. We created this post to share about the Spring4Shell (CVE-2022-22965) vulnerability for all the readers of thesecmaster.com community. Let’s see How to Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability in Spring Framework(CVE-2022-22965).

What Is Spring Framework?

Spring Framework is the world’s most popular, lightweight, open-source application development framework for enterprise java. Millions of Java developers use this framework to develop high-performing, easily testable, and reusable code for java applications.

Summary Of Spring4Shell Vulnerability (CVE-2022-22965):

There is a critical unauthenticated Remote Code Execution vulnerability in the Spring Framework (CVE-2022-22965), a popular Java-based web application framework. It is also referred to as SpringShell or Spring4Shell vulnerability.

Spring maintainers say in their publish, “The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to be packaged as a WAR and deployed to Apache Tomcat. This does mean the exploit does not work for Spring Boot with embedded Tomcat. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”

A Twitter Post About The PoC:

Vulnerability Details:

Associated CVE IDCVE-2022-22965
DescriptionA critical unauthenticated Remote Code Execution vulnerability in the Spring Framework.
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)Low
Integrity (I)High
availability (a)High

Prerequisites To Exploit Spring4Shell Vulnerability (CVE-2022-22965):

Spring4Shell vulnerability could be exploited with a servlet container for the application and a specially crafted POST request that decodes data from the request body automatically. 

When Spring is deployed to Apache Tomcat, the WebAppClassLoader classloader is accessible, allowing an attacker to call getters and setters to write a malicious JSP file to disk. This could be averted by deploying Spring using the Embedded Tomcat Servlet Container. This time, the classloader will be LaunchedURLClassLoader which has limited access.

Any components that use Spring Framework versions before 5.2.20, 5.3.18, JDK version 9 or higher, and components using @RequestMapping annotation and Plain Old Java Object (POJO) parameters are affected by Spring4Shell Vulnerability. Components running Tomcat with all these conditions are considered the highest risk of exploitation.

These Are The Prerequisites For The Exploit:

  • Spring Framework before v5.2.20 & v5.3.18
  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

How To Test Your Application Is Vulnerable To Spring4Shell Vulnerability (CVE-2022-22965)?

Spring4Shell Vulnerability (CVE-2022-22965) PoC:

Time needed: 30 minutes.

Spring has guide that walks you through the process of Proof of Concept. We have tested this for you and presented the results here for your convenience.

  1. Just for the demonstration purpose, a Hello World application is created which is vulnerable to Spring4Shell vulnerability, packaged the application as a WAR, and deployed to Apache Tomcat. An exploit is created in Python3.

    Application vulnerable to Spring4Shell vulnerability


  2. Run this exploit against the application. The exploit drops a webshell in the Tomcat. Issue this command to run the exploit file.

    # chmod +x exploit.py
    # python3 exploit.py –url http://localhost:8080/helloworld/greeting –file webshell

    Run the Spring4Shell exploit

  3. Pass your commands to the webshell as shone here:

    http://localhost:8080/webshell.jsp?cmd=<command>

    Screenshot from 2022-04-01 21-40-02

How To Verify Your Application Is Vulnerable To Spring4Shell Vulnerability (CVE-2022-22965)?

Check the version of JDK and Spring Framework to verify that your application is vulnerable to the Spring4Shell Vulnerability (CVE-2022-22965). Initial Actions to Take:

  1. Check the version number of JDK: Run the “$ java -version” command to check the JDK version running on your machine. If you see your JDK version is less than or equal to 9.0, then your app is safe. No action is required.
  2. Check for Spring framework usage: Follow these steps only if your project is deployed in the form of a war package. Unzip the war package. Search for springbeans-*.jar or CachedIntrospectionResuLts.class file. For example, spring-beans-5.3.16.jar. Repeat this search process if the project runs directly and independently in the form of a jar package too. If you see the version higher than v5.2.20 & v5.3.18, then your app is safe. No action is required.

How To Fix Spring4Shell Vulnerability- A Critical Remote Code Execution Vulnerability In Spring Framework (CVE-2022-22965)?

  1. Update Spring Framework: Spring maintainers have released the latest versions of Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18. It is recommended to upgrade Spring Framework vv5.2.20 & v5.3.18 and above to fix the Spring4Shell vulnerability. 
  2. Block in Web Application Firewall: Block these file types “class.*”, “Class.*”, “*.class.*”, and “*.Class.*” in security solutions such as Web Application Firewalls. But, be sure this may affect your other projects.
  1. Other Two Temporary Measures to Take: 
  1. Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add {“class.*”,”Class.* to the original blacklist “,”*.class.*”, “*.Class.*”}. (Note: If this code snippet is used a lot, it needs to be appended everywhere)
  2. Create the following global class under the project package of the application system, and ensure that this class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After the class is added, the project needs to be recompiled and packaged and tested for functional verification. And republish the project.

We hope this post will help you know How to Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability in Spring Framework (CVE-2022-22965). Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.