In this article

Spring4shell Explained


April 13, 2022
Last Updated: January 3, 2024
Share on:

Spring4shell (CVE-2022-22965) Explained:

On March 30, 2022, a security researcher published a proof-of-concept exploit code that targets a zero-day vulnerability in the Spring Core module of the Spring Framework, which led to an unauthenticated remote code execution (RCE).

The Spring4Shell Vulnerability was found in Spring Framework which is a very common open-source application framework for the Java platform with enterprise-focus features. The initial release occured on October 1, 2002. At the time of this publication, the main repository has over 33.2k forks and 46.9k stars on GitHub. The developed applications can be deployed on servers, such as Apache Tomcat, or as stand-alone packages with all the required dependencies.

The Spring4Shell vulnerability has been assigned CVE-2022-22965. The vulnerability allows for remote code execution due to a bypass for CVE-2010-1622.

As Cynet is aware of emerging threats and vulnerabilities, we’ve confirmed that the Cynet360 platform is not affected by the Spring4Shell vulnerability or any of its components.

Some may be confusing this vulnerability with the Spring Cloud Function vulnerability (CVE-2022-22963), which was disclosed on March 29. An additional vulnerability which was disclosed this week is Spring Expression DoS Vulnerability (CVE-2022-22950). Both vulnerabilities were patched immediately, and they have no relation to the current Spring4Shell vulnerability.

Get our Complete Guide

How to Build a Security Framework

  • Key frameworks for IT security programs
  • Managing risk associated with security controls
  • Addressing cyber insurance, cloud security, zero trust

Exploitation

The current known way of exploitation (based on a technique from 2014), requires several preconditions for successful exploitation (according to VMWare).

  • Java Development Kit (JDK) 9 or above
  • Apache Tomcat as the servlet container
  • Packaged as WAR
  • Spring-Webmvc or spring-Webflux dependency
  • Spring Framework versions before 5.2.20, 5.3.18

The exploit abuses the fact that when Spring is deployed as “.war” on Tomcat, the `WebAppClassLoader` has accessible getters and setters. When used:

  • The logging pattern is assigned with the wanted web shell content;
  • The extension (“suffix”) for the log is changed to .jsp (JavaServer Pages); and
  • The log directory changed to the web root for easier accessibility to the web shell.

Unlike Log4Shell, where the attackers needed to find a vulnerable parameter that will be logged, all the attacker needs to do is find an endpoint that uses the @RequestMapping annotation and has a Plain Old Java Object (POJO). Meaning that they don’t need methods, only data members’ parameters.

Remediation

As of March 31, 2022, Spring Framework versions 5.3.18 and 5.2.20 have been released to address CVE-2022-22965 (Spring4Shell).

Cynet Protection

Cynet continues to monitor the Spring4Shell vulnerability and will give updates on any developments and measures that need to be taken to mitigate the threat caused by it.

Our research group is also working around the clock to add detection logic and capabilities against this vulnerability.

Cynet customers should enable the following settings to protect against this vulnerability:

  • Memory Patterns
  • Antivirus
  • File Operation Protection – as of Cynet version 4.5

Customers aligned with Cynet’s Best Protection Practices already have these settings enabled and no additional action is required.

The CyOps team is available 24/7 for any question or concern and will gladly assist with timely resolution to any issue.

How would you rate this article?

In this article

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: