Spring4Shell: Spring Core Remote Code Execution Vulnerability

Keep up to date with latest blog posts

On 30th March 2022, a zero-day vulnerability was discovered in the Spring Core module of the Spring Framework. Spring4Shell is a remote code execution (RCE) via deserialization vulnerability found in Spring Core on JDK9+.

We updated this blog post on April 6th, 2022, and added vendor-specific actionable mitigation signatures.

The vulnerability received the CVE number CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Users are advised to apply the patches to update the Spring Framework to version 5.3.18 or 5.2.20. Since many Tomcat applications are vulnerable to Spring4Shell attacks, it is also advised to update the Tomcat to version 10.0.20, 9.0.62, or 8.5.78.

Picus Labs has updated the Picus Threat Library with attack simulations for Spring4Shell vulnerability exploitation attacks affecting Spring Core with the JDK version 9 or higher.

Validate your security controls against Spring4Shell exploits


What is Spring4Shell Remote Code Execution Vulnerability?

The Spring framework is one of the most popular frameworks in the Java ecosystem. Remote code execution vulnerability in Spring Core with the JDK version 9 or higher is caused by unsafe deserialization of passed arguments. The vulnerability is named Spring4Shell due to its similarities to Log4Shell, an RCE vulnerability found in Apache Log4j that resulted in mass exploitation in December 2021.

Spring4Shell vulnerability allows attackers to bypass the incomplete patch for the CVE-2010-1622, a 12-year old code injection vulnerability found in the Spring Core Framework.  Spring4Shell is limited to the Spring Framework with certain configurations, and it does not affect every Spring installation. The Spring documentation clearly states that misconfiguring DataBinder functionality may adversely affect security. The current proof of concepts shows that exploitation requires endpoints with DataBinder functionality enabled. The vulnerability is also called CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Spring Framework should be updated to version 5.3.18 or 5.2.20. Also, updating Tomcat to version 10.0.20, 9.0.62, or 8.5.78 is advised to prevent Spring4Shell attacks.

A different RCE vulnerability (CVE-2022-22963) in the Spring Cloud and a DoS vulnerability (CVE-2022-22950) in the Spring framework confused the security community. However, Spring4Shell and these two vulnerabilities are not related. 

How to Mitigate Spring4Shell RCE Vulnerability? 

Spring4Shell vulnerability enables remote code executions on systems running vulnerable Spring Core versions under certain configurations. Organizations can modify their source code of custom Spring applications and mitigate potential cyber-attacks; however, this mitigation method may not be applicable to third-party applications.

Web Application Firewall (WAF) may be used to mitigate Spring4Shell attacks by deploying a WAF rule that analyzes requests containing “classLoader”. Note that this approach is a short-term solution until a remediating patch is released.

How Picus Helps Simulate Spring4Shell Vulnerability Exploits?

Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods. Picus Labs advises you to simulate Spring4Shell vulnerability exploitation attack and determine the effectiveness of your security controls against it.

Threat Name

Spring Framework RCE (Spring4Shell) Vulnerability

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-22965 Spring4Shell vulnerability exploitation attacks in preventive security controls. A sample signature is given below:

Security Control

Signature IDs

Signature Name

Check Point NGFW

asm_dynamic_prop_AMSN20140307_09

Apache Struts ParametersInterceptor ClassLoader Security Bypass

Check Point NGFW

 

Spring Core Remote Code Execution (CVE-2022-22965)

Citrix Web App Firewall

999004

WEB-MISC Spring4Shell Spring Core Framework - RCE Vulnerability (CVE-2022-22965)

Forcepoint NGFW

 

HTTP_CRL-Spring-Core-Remote-Code-Execution

FortiWeb Web Application Security

90501439

Known Exploits

FortiWeb Web Application Security

50170001

Generic Attacks

FortiWeb Web Application Security

60050053

Generic Attacks(Extended)

FortiGate NGFW

51352

Spring.Framework.SerializationUtils.Insecure.Deserialization

Palo Alto Networks NGFW

92393

Spring Core Remote Code Execution Vulnerability

Palo Alto Networks NGFW

92394

Spring Core Remote Code Execution Vulnerability

Snort IPS

30790 30791 30792 30793

SERVER-WEBAPP Java ClassLoader access attempt

Snort IPS

59416

SERVER-WEBAPP Java getRuntime remote code execution attempt

Cisco Firepower NGFW

30790 30791 30792 30793

SERVER-WEBAPP Java ClassLoader access attempt

Cisco Firepower NGFW

59416

SERVER-WEBAPP Java getRuntime remote code execution attempt

F5 BIG-IP ASM

200104796

Java code injection - class.module.classLoader.resources.context.parent.pipeline (Parameter)

F5 BIG-IP ASM

200104799

Spring Boot template JSP tag injection

F5 BIG-IP ASM

200104797

Java code injection - class.module.classLoader.resources.context.parent.pipeline

F5 BIG-IP ASM

200104263

Java code injection - java.io

ModSecurity

944130

suspicious Java class detected

ModSecurity

944250

Remote Command Execution: Suspicious Java method detected

TippingPoint TPS

13894

HTTP: Apache Struts 2 ClassLoader Security Bypass Vulnerability

Subscribe

Keep up to date with latest blog posts