Spring4Shell RCE a new Vulnerability in Spring Framework via Data Binding
Ransomware Targeted Attacks: CISO Mitigation Playbook
March 22, 2022
Redis sandbox escape affects only Debian, Ubuntu, and other derivatives
April 4, 2022
In the Spring Framework, a new Spring4Shell RCE vulnerability has been discovered and named CVE-2022-22965.
Overview
On March 30, 2022, various websites and technical blogs published information about a new 0-day critical vulnerability affecting the Spring Framework core – an enormously popular open-source application framework for the Java platform used in enterprise applications. Due to its initial perceived similarities with potential attack impact to last year’s Spring4Shell RCE vulnerability, this vulnerability is nicknamed as Spring4Shell.
Spring publicly acknowledged the vulnerability on March 31, 2022, including patch information, more detailed affected criteria, a formal CVE assignment of CVE-2022-22965, and a CVSS score of 9.8. CVE-2022-22965 is a remote code execution (RCE) vulnerability in Spring Core that was discovered to be a workaround that re-exposed a 2010 issue.
The Spring open-source project issued an advisory with remedies for the problem. The alert revealed Spring4Shell RCE vulnerability in the Spring Framework, discovered before the CVE was published. The versions 5.3.18 and 5.2.20 of the Spring Framework, and Spring Boot 2.6.6 and 2.5.12, have been officially released to resolve the issue.
Vulnerability
The software deserializing code, which is the basis of the problem, is used to exploit this type of vulnerability.
Because older versions of Spring allow for Java Reflection, various Remote Code Execution (RCE) issues have been reported in the past, which means that an attacker may poison a payload intended for a Spring application and take over the system. The currently known forms of attacks rely on a function Object () {[native code]} of the DataBinder functionality, which allows malicious entities to load arbitrary classes.
This flaw affects all applications that use Spring Framework, and it affects the most recent versions. Spring is one of the most used Java frameworks, equivalent to Struts in terms of scalability, and the flaw can be exploited on any JDK9 or newer. It bypasses a previously known vulnerability listed as CVE-2010-1622 and has been nicknamed Spring4Shell or SpringShell in some quarters. It impacts every application that uses the Spring Core logging element, as well as anyone who uses Spring, a widely used framework that is comparable in magnitude to Apache Struts.
To exploit the vulnerability, Java Development Kit (JDK) 9 or later must be installed, and if exploited, an unauthenticated actor will be able to execute arbitrary code on the target system.
On JDK 9+, the vulnerability affects Spring MVC and Spring WebFlux apps. The application must operate on Tomcat as a WAR deployment to be exploited. The program is not vulnerable to exploitation if it is deployed as a Spring Boot executable jar, which is the default. The vulnerability’s nature, though, is more generic, and there may be additional ways to exploit it.
Who Is Affected by This?
The following are the requirements for the report’s specific scenario:
- Apache Tomcat as the Servlet container (JDK 9 or above)
- As a typical WAR package (in contrast to a Spring Boot executable jar)
- Dependency on spring-webmvc or spring-webflux
- Versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and previous versions of the Spring Framework
However, the nature of vulnerability is more generic, and there may be other ways to attack it that have to be discovered.
Status
- Spring Framework 5.3.18 and 5.2.20, which include the updates, are now available.
- Spring Boot 2.6.6 and 2.5.12 are now available, and they require Spring Framework 5.3.18.
- The CVE-2022-22965 vulnerability has been made public.
Misconceptions
The decision to deprecate SerializationUtils met with skepticism. There is only one instance of this class in the framework, and it is not exposed to external input. This vulnerability has nothing to do with deprecation. A CVE for Spring Cloud Function was announced soon before the report for this vulnerability caused some misunderstanding. It also has nothing to do with each other.
References
