A remote code execution vulnerability, CVE-2022-22965, was disclosed on March 29th by a security researcher on Twitter (now deleted). Even though for a few hours there were questions about its legitimacy, the Spring team soon officially acknowledged the vulnerability. The exploit CVE-2022-22965—or Spring4Shell, as it is being called—is present in Spring Framework and impacts Spring MVC and Spring WebFlux applications running on JDK 9+. Successful exploitation requires that the web application is packaged as a WAR file and deployed using Apache Tomcat as the servlet container.
In this blog post, we will answer frequently asked questions about the Spring4Shell exploit and the similarly timed CVE-2022-22963 vulnerability.
Contents
How Does Spring4Shell Work?
Are There Fixes Or Workarounds?
Uptycs Queries For Identifying Boot Packages Vulnerable To Spring4Shell
- Linux
How is CVE-2022-22963 Related to Spring4Shell?
Uptycs Queries For Identifying Boot Packages Vulnerable To CVE-2022-22963
- Linux
How Does Spring4Shell Work?
Web applications which are built on Spring Framework and use the @RequestMapping annotation along with POJO (Plain Old Java Object) parameters might be vulnerable to RCE attacks and therefore are advised to upgrade or modify source code as per the suggested workarounds. The publicly available PoCs have demonstrated use of Apache Tomcat as the web application server and exploit the vulnerability by modifying the server's logging properties via ClassLoader.
The logging properties are set to write a JSP file on the disk with code for accepting remote commands to be executed on the victim machine. Once the JSP webshell is written on disk, the attacker remotely accesses the JSP file through HTTP requests and performs remote code execution. The initial exploitation attempts can be identified by looking for values like "class" and "classLoader" being set through POST parameters. If the application is deployed as a Spring Boot executable JAR, i.e. the default, it is not vulnerable to the exploit.
Are There fixes Or Workarounds?
- Patched in Spring Framework (containing spring-webflux and spring-mvc packages) versions 5.3.18 and 5.2.20.
- Patched in Spring Boot in version 2.6.6. (https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now)
- If an upgrade is not possible in one's environment, you must follow the workarounds suggested in Spring’s vulnerability announcement.
Uptycs Queries For Identifying Boot Packages Vulnerable To Spring4Shell
Uptycs defends against such attacks by identifying post-exploitation commands and helps stop attackers from compromising the hosts. Following Uptycs queries can be executed to check for vulnerable Spring framework and Spring boot packages in the environment.
Linux:
with vuln_java_packages as (
SELECT system_id, artifact_id as spring_package ,version as spring_package_version
FROM java_packages
WHERE system_type IN ( 'host', 'docker_container', 'containerd_container',
'crio_container' )
AND ( ( ( artifact_id LIKE 'spring-webflux%'
OR artifact_id LIKE 'spring-webmvc%' )
AND ((version like '5.3._') or (version like '5.3.1_' and version < '5.3.18') or
(version like '5.2._' or version like '5.2.1_')))
or (artifact_id like 'spring-boot%' and ((version like '2.6._' and version < '2.6.6') or
(version like '2.5._' or version like '2.5.10' or version like '2.5.11'))) )
group by 1,2,3
),
vuln_jdks as (
SELECT system_id, NAME, version
FROM deb_packages
group by system_id, NAME, version
) select spring_package, spring_package_version from
vuln_java_packages a
left outer join vuln_jdks b
on a.system_id = b.system_id
WHERE ( ( NAME LIKE 'default-jdk%'
AND ( version LIKE '%1.9-%'
OR version LIKE '%1.10-%'
OR version LIKE '%1.11-%' ) )
OR ( NAME LIKE 'openjdk-%'
AND ( version LIKE '9.%'
OR version LIKE '10.%'
OR version LIKE '11.%'
OR version LIKE '12.%'
OR version LIKE '13.%'
OR version LIKE '14.%'
OR version LIKE '15.%'
OR version LIKE '16.%'
OR version LIKE '17.%'
OR version LIKE '18.%' ) ) )
group by 1,2
How Is CVE-2022-22963 Related To Spring4Shell?
Another critical RCE vulnerability in the Spring Cloud Function library was disclosed on March 29, and has created confusion since many confused Spring4Shell with CVE-2022-22963 (https://spring.io/security/cve-2022-22965) due to a similarly timed advisory release. CVE-2022-22963 is a separate issue where a user using routing functionality can provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. The vulnerability is fixed in versions 3.1.7 and 3.2.3 of Spring Cloud Function releases.
Uptycs Queries For Identifying Boot Packages Vulnerable to CVE-2022-22963
Linux:
SELECT * FROM java_packages WHERE system_type IN ('host', 'docker_container', 'containerd_container', 'crio_container')
AND (artifact_id LIKE 'spring-cloud-function%' OR artifact_id LIKE 'spring-cloud-starter-function%') AND
(version LIKE '1.%' OR version LIKE '2.%' OR version LIKE '3.0.%' OR version LIKE '3.1.0%' OR
version LIKE '3.1.1%' OR version LIKE '3.1.2%' OR version LIKE '3.1.3%' OR version LIKE '3.1.4%' OR
version LIKE '3.1.5%' OR version LIKE '3.1.6%' OR version LIKE '3.2.0%' OR version LIKE '3.2.1%' OR version LIKE '3.2.2%');
To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin below.
![mastering-kubernetes-container-s[1]](https://www.uptycs.com/hs-fs/hubfs/mastering-kubernetes-container-s%5B1%5D.jpg?width=400&height=209&name=mastering-kubernetes-container-s%5B1%5D.jpg)
![kevin-paige-ciso-cybersecurity-standup-podcast[1]](https://www.uptycs.com/hs-fs/hubfs/kevin-paige-ciso-cybersecurity-standup-podcast%5B1%5D.jpg?width=400&height=209&name=kevin-paige-ciso-cybersecurity-standup-podcast%5B1%5D.jpg)