April 3, 2022

Spring Patched ‘Spring4Shell’ 0-Day RCE Vulnerability

In an official advisory, Spring has addressed the ‘Spring4Shell’ remote code execution 0-day vulnerability, clarifying which ‘Spring Framework’ configurations are vulnerable, how to detect impact, and assigning a proper CVE to the vulnerability.

The Vulnerability

• CVE-2022-22965 (dubbed ‘Spring4Shell’), Critical – A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment.

If the application is deployed as a Spring Boot executable jar ( i.e. the default), it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Vulnerable Products

‘Spring Framework’ versions:

• 5.3.0 to 5.3.17.
• 5.2.0 to 5.2.19.
• Older unsupported versions.

Mitigation

For full mitigation, CYREBRO recommends updating to ‘Spring Framework’ 5.3.18 and 5.2.20 or greater.

Workaround

If the mitigation steps cannot be applied for any reason, implement one of the linked temporary workarounds below:

• Upgrading Tomcat.
• Downgrading to Java 8.
• Setting ‘disallowedFields’.

References: Spring Advisory.

Spring: 2 RCE Vulnerabilities, 1 Zero-Day

Multiple sources have reported of 2 remote code execution vulnerabilities.

One RCE affects ‘Spring Cloud Function’, and the second RCE is a critical zero-day vulnerability dubbed ‘Spring4Shell‘, affecting ‘Spring Core’ with JDK version 9.0 or newer, running specific configurations.

Currently, the ‘Spring4Shell’ vulnerability has only a workaround available.

Spring is a subsidiary of VMware. It offers development services through several platforms. ‘Spring Framework’ is an application framework and inversion of control container for the Java platform. ‘Spring Cloud’ is a cloud application development platform.

The Vulnerabilities

• CVE-2022-22963, Medium Severity – In ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources. This vulnerability is exploitable remotely and no privileges are required.
• Spring4Shell, Critical – In ‘Spring Core’ with JDK 9.0 or newer, and in specific configurations, due to an unsafe deserialization of passed arguments, it is possible to plant a webshell on vulnerable systems using a POST request, which leads to remote code execution.

Affected Products

Products affected by CVE-2022-22963:

• ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older, unsupported versions.

Products affected by Spring4Shell:

• ‘Spring Core’, with JDK versions 9.0 or newer with ‘DataBinder’ enabled, or other vulnerable configurations that are not yet discovered.

Mitigation

CVE-2022-22963

CYREBRO urges all clients to upgrade ‘Spring Cloud Function’ to versions 3.1.7 or 3.2.3 to fully mitigate the vulnerability.

Workaround

for ‘Spring4Shell’

As a temporary workaround of the vulnerability, CYREBRO recommends creating a ‘ControllerAdvice’ component (a Spring component shared across Controllers) and adding the following patterns to the denylist:

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.WebDataBinder;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.InitBinder;

@ControllerAdvice

@Order(10000)

public class BinderControllerAdvice {

    @InitBinder

    public void setAllowedFields(WebDataBinder dataBinder) {

         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};

         dataBinder.setDisallowedFields(denylist);

    }

}

CYREBRO continues monitoring the vulnerability and will update customers with any relevant developments.

References: VMware advisory, Bleeping Computer