Spring4Shell: are you at risk?


A newly discovered zero-day vulnerability in the Spring Framework for Java is definitely drawing the attention of the IT community. With a critically high threat level (the CVSS score is 9.8 out of 10.0), vulnerability CVE-2022-22965, or Spring4Shell, is already being compared to Log4Shell due to the similarity in the method of exploitation.

According to the first assessments, Spring4Shell affected over 16% of companies worldwide, with the most impacted region being Europe, with an impact of 20% of businesses.

In the first days since the vulnerability was detected, more than 37 K attempts to exploit this vulnerability were confirmed.

What is Spring4Shell?

Spring4Shell is a zero-day Remote Code Execution (RCE) vulnerability caused by an error in the mechanism which uses client-provided data to update the properties of an object in the Spring MVC or Spring WebFlux application. The Remote Code Execution (RCE) Vulnerability can be easily exploited by sending a specially crafted HTTP request to a server running the Spring Core Framework.

Exploited software and impacted systems

As we mentioned in December, the majority of applications are built in Java. When it comes to Spring Framework, half of Java applications use it.

Any system using Java Development Kit (JDK) 9.0 or later, especially those using TomCat, and using the Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions are vulnerable.

10 software vendors are confirmed to be affected because of Spring4Shell:

  • Blueriq
  • BMC Software
  • Cisco
  • JAMF
  • NetApp
  • PTC
  • SAP SE
  • SolarWinds
  • Spring
  • VMware

The vulnerability primarily affects devices with a lot of direct connections. In fact, cybercriminals also take advantage of connections where they can use an executable file.

Also, all IoT devices running Java can be affected. This issue can also pose a personal risk because the vulnerability can hit Android or Windows OS smart-home appliances. And even home cameras.

How to find vulnerable to Spring4Shell device

To find the affected device use Threat and Vulnerability Management functionality of Microsoft Defender for Endpoint. TVM monitors overall security posture of the company’s endpoints and provides real-time insights about detected vulnerabilities. On the Weaknesses page, you can search for the CVE-2022-22965 to find vulnerable devices.

Read more about Microsoft TVM here.

How to mitigate Spring4Shell

The best and only solution to reduce the impact of this threat is to patch it. An update is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.

If you’re unable to patch the CVE-2022-22965 vulnerability, you can implement this set of workarounds published by Spring:

  1. Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add
{"class.*","Class.*","*.class.*", "*.Class.*"} 

to the original blacklist. (Note: If this code snippet is used a lot, it needs to be appended in each location.)

2. Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:

import org.springframework.core.annotation.Order; 
        import org.springframework.web.bind.WebDataBinder; 
        import org.springframework.web.bind.annotation.ControllerAdvice; 
        import org.springframework.web.bind.annotation.InitBinder; 
        public class GlobalControllerAdvice{ 
             public void setAllowedFields(webdataBinder dataBinder){ 
             String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"}; 

We’re happy to confirm that all the third-party applications in the Scappman App Store are secure, up to date and not vulnerable to CVE-2022-22965.

Related posts