Recently a vulnerability was discovered affecting two components of the Spring Core Framework: Spring MVC and Spring WebFlux. The vulnerability has been labeled Spring4Shell, similar to the Log4Shell vulnerability that was discovered last year in Apache Log4j.
A zero-day exploit targeting the issue was released on March 29, 2022, and was followed by active attempts at exploitation. Successful exploitation results in remote code execution. While there are specific requirements for exploitation to be possible, it is considered a critical severity issue and has been assigned CVE-2022-22965.
Who is affected?
This vulnerability affects applications utilizing Spring framework versions 5.2.0+ and 5.3.0+ that are running on JDK 9+, including releases of Spring Boot that depend on the vulnerable Spring Framework versions. Currently released exploits are only able to target Apache Tomcat with the application running as a WAR deployment. It’s possible that future exploits could be developed that do not require Apache Tomcat or the application deployed as a WAR.
What is the risk?
Threat actors who are able to successfully exploit the Spring4Shell vulnerability are able to achieve remote code execution by creating a web shell on the application. This web shell allows attackers to execute operating system commands on the underlying server by accessing a JSP page via the web server. Attackers may then use this access to exfiltrate any data stored on the system, as well as pivot to other internal systems.
How do I protect my organization?
It’s recommended that you upgrade all affected installations to Spring Framework versions 5.2.20 or 5.3.18 which have been released to fix the issue.
TrustedSite is able to remotely detect the Spring4Shell vulnerability with our attack surface management platform. If you have any questions about Spring4Shell and how it affects you, please don’t hesitate to reach out.