Spring released emergency updates to fix the ‘Spring4Shell’ zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. On March 30, 2022, the security community became widely aware of vulnerabilities related to spring, the popular open-source Java framework.

What is Spring4Shell?

Spring4Shell is a bug in Spring Core, a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.

The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

Is Spring4Shell related to CVE-2022-22963?

No, Spring4Shell was allocated with CVE-2022-22965. CVE-2022-22963 is a different bug in the Spring Cloud Function, which is a separate Java library from Spring Core.

Who is impacted?

Anyone using Spring on Java 9 or newer, especially those using TomCat. Java 8 does not appear to be vulnerable.

So far, the only confirmed exploit depends on Spring being deployed with TomCat. However, other vectors may be discovered. We recommend all Spring users to update, who are using TomCat. 

The two vulnerabilities

1. Spring4Shell – an RCE in Spring Core

This vulnerability, dubbed “Spring4Shell”, leverages class injection leading to a full RCE, and is very severe. The name “Spring4Shell” was picked because Spring Core is a ubiquitous library, similar to log4j which spawned the infamous Log4Shell vulnerability.

We believe that users running JDK version 9 and newer are vulnerable to an RCE attack. All versions of Spring Core are impacted.

There are strategies to mitigate the attack, and we believe that not all Spring servers are necessarily vulnerable. We currently recommend that all users apply mitigations or updates if they are using Spring Core.

A CVE has now been published for this vulnerability as CVE-2022-22965.

Note: there is also an unconfirmed deserialization weakness in Spring Core that could potentially lead to an RCE for Spring Core <=5.3.17.

2. RCE in “Spring Cloud Function”

CVE-2022-22963: A confirmed RCE in Spring Cloud Function (<=3.1.6 and <=3.2.2).

If you’re using the Spring Cloud Function library, you must upgrade to 3.1.7+ or 3.2.3+ to prevent an RCE attack.

What is the detection logic for Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)? 

On the Windows system, detection checks vulnerable instances of Spring via WMI to check spring-webmvc, spring-webflux, and spring-boot are included in the running processes via command-line with JDK9 or higher.

On Linux systems, detection checks if the system has Java 9 or later versions and executes ‘locate’ and ‘  ls -l /proc/*/fd  ‘ to check, if one of the ‘  spring-webmvc-*.jar  ‘, ‘  spring-webflux*.jar  ‘ or ‘  spring-boot.*jar  ‘ present on the system.

Spring4Shell Exploitation:

Spring4Shell Exploitation

Mitigation Guidance

Spring has now released Spring Framework 5.3.18 and 5.2.20, which it says address the vulnerability. Spring Boot 2.6.6 and 2.5.12 which depend on Spring Framework 5.3.18 have also been released. If your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.