Cybersecurity announcement: Java Spring Framework RCE vulnerability
About the event
Spring announced a remote code execution vulnerability in Spring Core, aka Spring4Shell. The vulnerability impacts their Spring MVC and Spring WebFlux applications running on JDK 9+ and has been provided the CVE-2022-22965.
Actions to consider
Cybersecurity recommends patching your instances of Spring Core Framework right away. Spring Framework versions 5.3.18 and 5.2.20, which address the vulnerability, are now available. Spring Boot 2.5.12 with Spring Framework 5.3.18 is available. The Spring engineering team has provided walk-throughs for upgrading with Maven or Gradle, provided in the spring.io reference listed below. If you are unable to patch, the Spring team has provided workarounds in this same reference. It is recommended, with the wide use of the Spring Core framework, to look for announcements of updates/patches from software vendors for this vulnerability.
Event impact
The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. There have been proof of concepts (POCs) released for this vulnerability and exploits have been seen being attempted “in the wild”.
The vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app’s HTTP service. These are the requirements for the specific scenario from the exploit report:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
References
- https://isc.sans.edu/diary/rss/28498
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://github.com/reznok/Spring4Shell-POC
- https://www.cyberkendra.com/2022/03/spring4shell-spring-confirmed-rce-in.html
Security analysts
- Vince Abrahamson
- Jen Kuo
- Bridget Bartell
- Allen Monette
- Michael Ippolito