Table of Contents
April 1, 2022
|6m
How To Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability In Spring Framework (CVE-2022-22965)
There is another critical vulnerability doubted Spring4Shell is out that could cause severe damage to tonnes of applications. The vulnerability is assigned a CVE ID CVE-2022-22965 a couple of days after making some noise with the leak of Proof of Concept on the internet since 29th Mar 2022. The vulnerability is rated 9.8 out of 10 as per the CVSS scoring system and is considered critical since it allows attackers to perform remote code execution on the JDK version greater or equal to 9.0. Considering its severity, leak of PoC, prevalence, and exploitative nature, it is a must to know information. We created this post to share about the Spring4Shell (CVE-2022-22965) vulnerability for all the readers of wordpress-755771-2552852.cloudwaysapps.com community. Let’s see How to Fix the Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability in Spring Framework(CVE-2022-22965).
What Is Spring Framework?
Spring Framework is the world’s most popular, lightweight, open-source application development framework for enterprise java. Millions of Java developers use this framework to develop high-performing, easily testable, and reusable code for java applications.
Summary Of Spring4Shell Vulnerability (CVE-2022-22965):
There is a critical unauthenticated Remote Code Execution vulnerability in the Spring Framework (CVE-2022-22965), a popular Java-based web application framework. It is also referred to as SpringShell or Spring4Shell vulnerability.
Spring maintainers say in their publish, “The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to be packaged as a WAR and deployed to Apache Tomcat. This does mean the exploit does not work for Spring Boot with embedded Tomcat. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
A Twitter Post About The PoC:
Vulnerability Details:
| Associated CVE ID | CVE-2022-22965 |
| Description | A critical unauthenticated Remote Code Execution vulnerability in the Spring Framework. |
| Associated ZDI ID | – |
| CVSS Score | 9.8 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | Low |
| Integrity (I) | High |
| availability (a) | High |
Prerequisites To Exploit Spring4Shell Vulnerability (CVE-2022-22965):
Spring4Shell vulnerability could be exploited with a servlet container for the application and a specially crafted POST request that decodes data from the request body automatically.
When Spring is deployed to Apache Tomcat, the WebAppClassLoader classloader is accessible, allowing an attacker to call getters and setters to write a malicious JSP file to disk. This could be averted by deploying Spring using the Embedded Tomcat Servlet Container. This time, the classloader will be LaunchedURLClassLoader which has limited access.
Any components that use Spring Framework versions before 5.2.20, 5.3.18, JDK version 9 or higher, and components using @RequestMapping annotation and Plain Old Java Object (POJO) parameters are affected by Spring4Shell Vulnerability. Components running Tomcat with all these conditions are considered the highest risk of exploitation.
These Are The Prerequisites For The Exploit:
Spring Framework before v5.2.20 & v5.3.18
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency
How To Test Your Application Is Vulnerable To Spring4Shell Vulnerability (CVE-2022-22965)?
Spring4Shell Vulnerability (CVE-2022-22965) PoC:
Spring has guide that walks you through the process of Proof of Concept. We have tested this for you and presented the results here for your convenience.
Step 1. Just for demonstration purpose, a Hello World application is created which is vulnerable to Spring4Shell vulnerability, packaged the application as a WAR, and deployed to Apache Tomcat. An exploit is created in Python3.
Step 2. Run this exploit against the application. The exploit drops a webshell in the Tomcat. Issue this command to run the exploit file.
# chmod +x exploit.py
# python3 exploit.py –url http://localhost:8080/helloworld/greeting –file webshell
Step 3. Pass your commands to the webshell as shone here:
http://localhost:8080/webshell.jsp?cmd=<command>
How To Verify Your Application Is Vulnerable To Spring4Shell Vulnerability (CVE-2022-22965)?
Check the version of JDK and Spring Framework to verify that your application is vulnerable to the Spring4Shell Vulnerability (CVE-2022-22965). Initial Actions to Take:
Check the version number of JDK: Run the “$ java -version” command to check the JDK version running on your machine. If you see your JDK version is less than or equal to 9.0, then your app is safe. No action is required.
Check for Spring framework usage: Follow these steps only if your project is deployed in the form of a war package. Unzip the war package. Search for springbeans-*.jar or CachedIntrospectionResuLts.class file. For example, spring-beans-5.3.16.jar. Repeat this search process if the project runs directly and independently in the form of a jar package too. If you see the version higher than v5.2.20 & v5.3.18, then your app is safe. No action is required.
How To Fix Spring4Shell Vulnerability- A Critical Remote Code Execution Vulnerability In Spring Framework (CVE-2022-22965)?
Update Spring Framework: Spring maintainers have released the latest versions of Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18. It is recommended to upgrade Spring Framework vv5.2.20 & v5.3.18 and above to fix the Spring4Shell vulnerability.
Block in Web Application Firewall: Block these file types “class.*”, “Class.*”, “*.class.*”, and “*.Class.*” in security solutions such as Web Application Firewalls. But, be sure this may affect your other projects.
Other Two Temporary Measures to Take:
Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add {“class.*”,”Class.* to the original blacklist “,”*.class.*”, “*.Class.*”}. (Note: If this code snippet is used a lot, it needs to be appended everywhere)
Create the following global class under the project package of the application system, and ensure that this class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After the class is added, the project needs to be recompiled and packaged and tested for functional verification. And republish the project.
We hope this post would help you know How to Fix Spring4Shell Vulnerability- A Critical Remote Code Execution vulnerability in Spring Framework (CVE-2022-22965). Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
