Skip to content
Try it Free Request Your Demo
    April 1, 2022

    Spring4Shell and CVE-2022-22963: How They Work and How to Inventory Vulnerable Packages with Uptycs

    A remote code execution vulnerability, CVE-2022-22965, was disclosed on March 29th by a security researcher on Twitter (now deleted). Even though for a few hours there were questions about its legitimacy, the Spring team soon officially acknowledged the vulnerability. The exploit CVE-2022-22965—or Spring4Shell, as it is being called—is present in Spring Framework and impacts Spring MVC and Spring WebFlux applications running on JDK 9+. Successful exploitation requires that the web application is packaged as a WAR file and deployed using Apache Tomcat as the servlet container.

    In this blog post, we will answer frequently asked questions about the Spring4Shell exploit and the similarly timed CVE-2022-22963 vulnerability.

     

    Contents

    How Does Spring4Shell Work?
    Are There Fixes Or Workarounds?
    Uptycs Queries For Identifying Boot Packages Vulnerable To Spring4Shell
    - Linux
    How is CVE-2022-22963 Related to Spring4Shell?
    Uptycs Queries For Identifying Boot Packages Vulnerable To CVE-2022-22963
    - Linux

    How Does Spring4Shell Work?

    Web applications which are built on Spring Framework and use the @RequestMapping annotation along with POJO (Plain Old Java Object) parameters might be vulnerable to RCE attacks and therefore are advised to upgrade or modify source code as per the suggested workarounds. The publicly available PoCs have demonstrated use of Apache Tomcat as the web application server and exploit the vulnerability by modifying the server's logging properties via ClassLoader. The logging properties are set to write a JSP file on the disk with code for accepting remote commands to be executed on the victim machine. Once the JSP webshell is written on disk, the attacker remotely accesses the JSP file through HTTP requests and performs remote code execution. The initial exploitation attempts can be identified by looking for values like "class" and "classLoader" being set through POST parameters. If the application is deployed as a Spring Boot executable JAR, i.e. the default, it is not vulnerable to the exploit.

     

    Are There fixes Or Workarounds?

    • Patched in Spring Framework (containing spring-webflux and spring-mvc packages) versions 5.3.18 and 5.2.20. 
    • Patched in Spring Boot in version 2.6.6. (https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now)
    • If an upgrade is not possible in one's environment, you must follow the workarounds suggested in  Spring’s vulnerability announcement.

     

    Uptycs Queries For Identifying Boot Packages Vulnerable To Spring4Shell

    Uptycs defends against such attacks by identifying post-exploitation commands and helps stop attackers from compromising the hosts. Following Uptycs queries can be executed to check for vulnerable Spring framework and Spring boot packages in the environment. 

    Linux:

    with vuln_java_packages as (
    SELECT system_id, artifact_id as spring_package ,version as spring_package_version
    FROM java_packages
    WHERE system_type IN ( 'host', 'docker_container', 'containerd_container',
                                  'crio_container' )
           AND ( ( ( artifact_id LIKE 'spring-webflux%'
                      OR artifact_id LIKE 'spring-webmvc%' )
                    AND ((version like '5.3._') or (version like '5.3.1_' and version < '5.3.18') or
    (version like '5.2._' or version like '5.2.1_')))
                 or (artifact_id like 'spring-boot%' and ((version like '2.6._' and version < '2.6.6') or
    (version like '2.5._' or version like '2.5.10' or version like '2.5.11'))) )
    group by 1,2,3
    ),
    vuln_jdks as (
    SELECT system_id, NAME, version
    FROM deb_packages
    group by system_id, NAME, version
    ) select spring_package, spring_package_version from
    vuln_java_packages a
    left outer join vuln_jdks b
    on a.system_id = b.system_id
    WHERE ( ( NAME LIKE 'default-jdk%'
    AND ( version LIKE '%1.9-%'
    OR version LIKE '%1.10-%'
    OR version LIKE '%1.11-%' ) )
    OR ( NAME LIKE 'openjdk-%'
    AND ( version LIKE '9.%'
    OR version LIKE '10.%'
    OR version LIKE '11.%'
    OR version LIKE '12.%'
    OR version LIKE '13.%'
    OR version LIKE '14.%'
    OR version LIKE '15.%'
    OR version LIKE '16.%'
    OR version LIKE '17.%'
    OR version LIKE '18.%' ) ) )
    group by 1,2

     

    Fig.1: Results of the query showing vulnerable spring packages

     

    How Is CVE-2022-22963 Related To Spring4Shell?

    Another critical RCE vulnerability in the Spring Cloud Function library was disclosed on March 29, and has created confusion since many confused Spring4Shell with CVE-2022-22963 (https://tanzu.vmware.com/security/cve-2022-22963) due to a similarly timed advisory release. CVE-2022-22963 is a separate issue where a user using routing functionality can provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. The vulnerability is fixed in versions 3.1.7 and 3.2.3 of Spring Cloud Function releases.

     

    Uptycs Queries For Identifying Boot Packages Vulnerable to CVE-2022-22963

    Linux:

    SELECT * FROM java_packages WHERE system_type IN ('host', 'docker_container', 'containerd_container', 'crio_container')
    AND (artifact_id LIKE 'spring-cloud-function%' OR artifact_id LIKE 'spring-cloud-starter-function%') AND
    (version LIKE '1.%' OR version LIKE '2.%' OR version LIKE '3.0.%' OR version LIKE '3.1.0%' OR
    version LIKE '3.1.1%' OR version LIKE '3.1.2%' OR version LIKE '3.1.3%' OR version LIKE '3.1.4%' OR
    version LIKE '3.1.5%' OR version LIKE '3.1.6%' OR version LIKE '3.2.0%' OR version LIKE '3.2.1%' OR version LIKE '3.2.2%');

     

    To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin below. 

    threat bulletin cta image

    Uptycs Threat Research

    Research and updates from the Uptycs Threat Research team.

    Other posts you might be interested in