♨️Spring4Shell
Spring MVC or WebFluxrunning with Tomcat and WAR with JDK 9+
Advisory
Java based Spring Framework core is vulnerable to RCE, a recent patch addressed the vulnerability.
Vulnerable on JDK 9+
Update (Edited 27.4.22)
Currently, we know of three variations from the Spring4Shell vulnerability that are circulating, all with different degrees of severity
The Spring Boot Core Spring4Shell CVE-2022-22965, which is widely used, and the vulnerability we would discuss. To mitigate upgrade Spring Framework 5.3.19 and 5.2.21 and/or Spring Boot 2.6.6
The Spring Cloud Function CVE-2022-22963, for a specific cloud library, to mitigate upgrade to versions 3.1.7+ or 3.2.3+.
Data Binding Rules Vulnerability CVE-2022-22968 is a low severity issue that is a follow-up on the suggested workaround fix.
Premise
During the last few days, rumors and POCs that exploit Java Spring framework have emerged.
There are currently 2 confirmed exploits affecting Spring core and Spring Cloud Function.
Spring Cloud Function CVE-2022-22963 has been confirmed although less severe. (Mitigation: Update to 3.1.7+ or 3.2.3+)
“Spring4Shell” exploit is confirmed to leverage class injection
Spring4Shell Technique
The Spring boot controller maps objects from the request.
The vulnerability resides in the way that the object binds during initialization.
The payload sent to the server contains object classes. It injects parameters into the data binding, allowing the attacker to change the server's properties to allow remote code execution.
POC
Consider the following code, which maps the object in the request.
The Payload get interpreted as class parameters to be injected:
The parameters tells tomcat to create a file name shell.jsp that can get the cmd parameter and execute the commands in the value
After exploitation a webshell is created using class injection. We can then access the url to execute remote commands:
Mitigation strategy
There are several ways to mitigate the vulnerability. It is recommended to upgrade all of the dependencies to their latest versions.
We can upgrade Apache Tomcat to versions 10.0.20, 9.0.62, and 8.5.78 to close the vulnerability from Tomcat's side.
2. We can upgrade Spring Framework through Maven:
or Gradle:
In some edge cases, upgrading is difficult or not available. For these cases, we can set up a "patch" to block parameters in the binding process that would prevent the exploit from occurring. The patch is the Workaround method, so if it is necessary to apply this patch, consult the Data Binding Rules Vulnerability post here: CVE-2022-22968
Additional updates would be distributed as more mitigations would be available
Log detection
If applicable check the logs for requests that contain the payload strings:
Resources
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
https://github.com/TheGejr/SpringShell
https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
https://www.springcloud.io/post/2022-03/spring-0day-vulnerability/#step-1
https://portswigger.net/daily-swig/spring-cloud-framework-commits-patch-for-code-injection-flaw
https://github.com/craig/SpringCore0day/blob/main/README-english.md
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
Last updated