Spring4Shell: Spring Core Remote Code Execution Vulnerability

On 30th March 2022, a zero-day vulnerability was discovered in the Spring Core module of the Spring Framework. Spring4Shell is a remote code execution (RCE) via deserialization vulnerability found in Spring Core on JDK9+.

We updated this blog post on April 6th, 2022, and added vendor-specific actionable mitigation signatures.

The vulnerability received the CVE number CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Users are advised to apply the patches to update the Spring Framework to version 5.3.18 or 5.2.20. Since many Tomcat applications are vulnerable to Spring4Shell attacks, it is also advised to update the Tomcat to version 10.0.20, 9.0.62, or 8.5.78.

Picus Labs has updated the Picus Threat Library with attack simulations for Spring4Shell vulnerability exploitation attacks affecting Spring Core with the JDK version 9 or higher.

Start a 14-Day Free Trial of the Picus Platform 

What is Spring4Shell Remote Code Execution Vulnerability?

The Spring framework is one of the most popular frameworks in the Java ecosystem. Remote code execution vulnerability in Spring Core with the JDK version 9 or higher is caused by unsafe deserialization of passed arguments. The vulnerability is named Spring4Shell due to its similarities to Log4Shell, an RCE vulnerability found in Apache Log4j that resulted in mass exploitation in December 2021.

Spring4Shell vulnerability allows attackers to bypass the incomplete patch for the CVE-2010-1622, a 12-year old code injection vulnerability found in the Spring Core Framework.  Spring4Shell is limited to the Spring Framework with certain configurations, and it does not affect every Spring installation. The Spring documentation clearly states that misconfiguring DataBinder functionality may adversely affect security. The current proof of concepts shows that exploitation requires endpoints with DataBinder functionality enabled. The vulnerability is also called CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Spring Framework should be updated to version 5.3.18 or 5.2.20. Also, updating Tomcat to version 10.0.20, 9.0.62, or 8.5.78 is advised to prevent Spring4Shell attacks.

A different RCE vulnerability (CVE-2022-22963) in the Spring Cloud and a DoS vulnerability (CVE-2022-22950) in the Spring framework confused the security community. However, Spring4Shell and these two vulnerabilities are not related. 

How to Mitigate Spring4Shell RCE Vulnerability? 

Spring4Shell vulnerability enables remote code executions on systems running vulnerable Spring Core versions under certain configurations. Organizations can modify their source code of custom Spring applications and mitigate potential cyber-attacks; however, this mitigation method may not be applicable to third-party applications.

Web Application Firewall (WAF) may be used to mitigate Spring4Shell attacks by deploying a WAF rule that analyzes requests containing “classLoader”. Note that this approach is a short-term solution until a remediating patch is released.

How Picus Helps Simulate Spring4Shell Vulnerability Exploits?

Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods. Picus Labs advises you to simulate Spring4Shell vulnerability exploitation attack and determine the effectiveness of your security controls against it.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-22965 Spring4Shell vulnerability exploitation attacks in preventive security controls. A sample signature is given below: