Update: On March 31, Spring provided official confirmation and CVE-2022-22965 is now assigned to this vulnerability. Qualys Research Team has released QIDs as of March 30 and will keep updating those QIDs as new information is available.
On March 30, a new zero-day Remote Code Execution (RCE) vulnerability, “Spring4Shell” or “SpringShell” was disclosed in the Spring framework. An unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device.
What is Spring Framework?
spring-core is a prevalent framework widely used in Java applications that allows software developers to develop Java applications with enterprise-level components effortlessly.
Which versions are vulnerable?
The vulnerability requires JDK version 9 or later to be running. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are vulnerable. It allows remote attackers to plant a web shell when running Spring framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access.
How can this be exploited?
The exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. This property could enable an attacker to leverage Spring4Shell against a vulnerable application. In fact, the Spring framework class DataBinder warns about this in documentation:
“Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data, for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases, this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.”
What are the prerequisites to exploit this vulnerability?
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Is there a patch available for Spring4Shell?
As of 30th March, the vulnerability did not have a patch or a CVE assigned to it. However, here are a few temporary fixes recommended for vulnerability mitigations/removal.
Also, there are multiple working proof-of-concept (PoC) exploits available for Spring4Shell. We strongly recommend that organizations deploy these mitigations or use a third-party firewall for defense.
The Qualys Research Team has released the following authenticated QIDs to address this vulnerability for now. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.438-3 and in Cloud Agent manifest version LX_MANIFEST-2.5.438.3-2.
|376506||Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)||VULNSIGS-2.5.438-3||Scanner/Cloud Agent|
|45525||Spring core or Spring beans jar detected||VULNSIGS-2.5.438-3||Scanner/Cloud Agent|
|48209||Spring Framework and Spring Boot JARs Spring Cloud JARs Detected Scan Utility||VULNSIGS-2.5.444-2/manifest 2.5.444.2-1||Scanner/Cloud Agent|
|376514||Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility||VULNSIGS-2.5.444-2/manifest 2.5.444.2-1||Scanner/Cloud Agent|
|730416||Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) (Unauthenticated Check)||VULNSIGS-2.5.445-3||Scanner|
Is this vulnerability related to CVE-2022-22963?
There is some confusion about this zero-day vulnerability due to another unrelated Spring vulnerability (CVE-2022-22963) published yesterday (March 29, 2022). This vulnerability, CVE-2022-22963, impacts Spring Cloud Function, which is not in Spring Framework.
What is the detection logic for QID 376506: Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)?
QID 376506 is an authenticated check currently supported on Linux and Windows Operating Systems.
On Linux systems, detection checks if system has java 9 or later versions and executes ‘locate’ and ‘
ls -l /proc/*/fd ‘ to checks if one of the ‘
spring-webmvc-*.jar ‘, ‘
spring-webflux*.jar ‘ or ‘
spring-boot.*jar ‘ present on the system.
On Windows system, detection checks vulnerable instances of Spring via WMI to check spring-webmvc, spring-webflux and spring-boot are included in the running processes via command-line with JDK9 or higher.
Under what situations would QID 376506 not detect the vulnerability?
QID 376506 might not be detected if access to /proc/*/fd is restricted or if the spring-core or spring-beans file is embedded inside other binaries, such as jar, war, etc.
Also, this QID might not be detected if the locate command is not available on the target. Targets on Java versions less than 9 are not vulnerable.