By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Spring4Shell Zero-Day RCE Affects VMWare’s Java Application Framework

MARCH 31, 2022 23:35 GMT

A zero-day remote code execution vulnerability (CVE-2022-22965) has been discovered in the Spring Core module of the Spring Framework for Java application development after POC code was prematurely released by a researcher. Administrators are urged to update Spring Framework to the fixed version or perform a workaround to mitigate risk.

It should be noted that this is a critical vulnerability not to be confused with another Spring vulnerability (CVE-2022-22963) from the day prior. That vulnerability affects Spring Cloud Function, not Spring Framework.

The situation is evolving and updates will be appended to the top of this advisory.

Background/Vulnerability

The Spring Framework is developed by Spring, a subsidiary of VMWare. It is a Java application framework that allows rapid development and deployment of enterprise applications structured for modern cloud and microservice architectures. It is packaged with several VMWare products to complement their virtualization/containerization model.

On March 30, 2022, a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept exploit code targeting a zero-day vulnerability in the Spring Core module of the Spring Framework. The commit has since been deleted, presumably because it was considered irresponsible to release vulnerability specifics prior to allowing Spring adequate time to publish a fix.

The exploit has been dubbed Spring4Shell in an unavoidable comparison to the other most recent Java library vulnerability: Log4Shell.

Technical Detail

There is little in the way of published technical detail at the time of this writing. VMWare states that the vulnerability is a RCE via data binding which requires the application to run on Tomcat as a WAR deployment.

If the application is deployed as a Spring Boot executable JAR, which is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability itself is very general and potentially susceptible to other similar exploits.

From Rapid7 research, “The vulnerability appears to affect functions that use the @RequestMapping annotation and POJO (Plain Old Java Object) parameters.” It then demonstrates how a web shell can be dropped via a single Curl request.

Which versions are vulnerable?

In the case of Spring4Shell, vulnerability depends on configuration and some specific conditions. The known risk varies according to information found on the Rapid7 blog post.

Prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Combinations of varying vulnerability:

  • Unpatched Spring (prior to 5.2.20)  AND JDK 9+ = Maybe vulnerable.
  • Unpatched Spring AND JDK 9+ AND Are using @request Mapping annotation AND Pojo perams = Definitely vulnerable.
  • Unpatched Spring AND JDK 9+ AND Are using @request Mapping annotation AND Pojo perams AND running Apache Tomcat = Highly Vulnerable with POCs available.

How to fix?

Spring has already released patched versions 2.6.6 and 2.5.12. The best mitigation is to simply update to the fixed version.

For some environments, upgrade may not be trivial, so there are some workarounds detailed in the official Spring advisory.

Workarounds

See the Spring early advisory section “Suggested Workarounds” to find some ways to mitigate attacks that would leverage this bug. They require adding additional controller functions to sanitize inputs containing certain fields.

Multiple Spring CVEs

There are three CVEs published in the last 3 days—two critical and one medium.

Resources

  1. Spring.io advisory
    https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
  2. Spring4Shell: Zero-Day Vulnerability in Spring Framework
    https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
  3. VMWare advisory CVE-2022-22965
    https://tanzu.vmware.com/security/cve-2022-22965
Previous Post

Critical Remote Code Execution Vulnerability Found in Sophos Firewall Products

Next Post

Weekly Top Ten Cybersecurity Stories– 4.8.2022

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.