Cybersecurity Advisory for Spring4Shell & Spring Cloud

Spring4Shell:

This new vulnerability was released as a Proof-of-Concept by AntGroup FG Security Lab on March 29, 2022, and it was found to lead to a full compromise of the Java application. The exploit is achieved by improperly filtering a Java class property during HTTP input binding. This may allow for potentially dangerous incoming HTTP parameters to be transmitted as object properties.

This vulnerability, while critically severe, is not quite as severe as the recent Log4j Log4Shell vulnerabilities because successful exploitation requires very specific configurations. In order to exploit this vulnerability, the following requirements must be met:

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

This vulnerability affects the functions of the Spring Framework that use RequestMapping and Plain Old Java Object (POJO) parameters. RequestMapping is used to map web requests to specific handler classes and/or methods.

After compiling the project in the Spring Framework, and by hosting it on Tomcat, the project is now vulnerable to specific curl commands which can modify Tomcat logging properties. A malicious actor can also then upload a webshell to the root directory of Tomcat. This webshell can allow malicious actors to run arbitrary commands on the breached device.

Spring Cloud:

This vulnerability was released by Tanzu VMware on March 29, 2022, after it was responsibly reported to VMware and found to lead to a full compromise of the entire host machine. The exploit allows an attacker to inject a Spring Expression Language (SpEL) to the HTTP request header spring.cloud.function.routing-expression parameter and execute it using StandardEvaluationContext.

Affected Software / System

This advisory specifically applies to the following:

Spring Framework (Spring4Shell)

• Versions 5.3.0 to 5.3.17
• Versions 5.2.0 to 5.2.19
• Older, unsupported versions still in use.

Spring Cloud Function

• Version 3.2.2
• Version 3.1.6
• Older, unsupported versions still in use.

CVE (if applicable)

• Spring4Shell - CVE-2022-22965
• Spring Cloud - CVE-2022-22963

Type

Remote Code Execution (RCE)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-497 Exposure of System Data to an Unauthorized Control Sphere

Exploit Status: 

Proof of Concept has been released with CVE-2022-22963 and is reported to be currently exploited in the wild.

CVE-2022-22965 has been found to be exploited in the wild after it was released as a Proof of Concept.

Rating

Spring4Shell - CVE-2022-22965
Critical - CVSS 9.8

Spring Cloud - CVE-2022-22963
Medium - CVSS 5.4

Impact

Both exploits can lead to a total compromise of the host or container that executes the web-inserted commands. Further, the entire cloud account may be compromised as Spring Cloud Function can be broadly utilized.

Remote Code Execution: Exploitation of the Spring4Shell vulnerability could provide threat actors with remote access to facilitate lateral movement post-exploitation.

Temporary Mitigation

Spring4Shell:

To mitigate CVE-2022-22965, update your Spring Framework to the following versions: 5.3.18 or higher and 5.2.20 or higher.

To mitigate CVE-2022-22965:

• Spring Framework 5.3.x should be upgraded to 5.3.18+
• Spring Framework 5.2.x should be upgraded to 5.2.20+.

To mitigate CVE-2022-22963:

• Update affected versions of Spring Cloud Function to 3.1.7 and 3.2.3.

Optional Mitigation: Utilize DataBinder to add malicious patterns to the denylist.

• A ControllerAdvice component can be created as a temporary mitigation, which will be shared across all Controllers.
  • As an example, this can be accomplished via the following:

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.WebDataBinder;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.InitBinder;

@ControllerAdvice

@Order(10000)

public class BinderControllerAdvice {

                  @InitBinder

                  public void setAllowedFields(WebDataBinder dataBinder) {

                  String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};

                  dataBinder.setDisallowedFields(denylist);

                  }

}

Ingalls recommends the following actions:

VMware has released newer versions that address these vulnerabilities. It is recommended that these updates be installed immediately.

• Spring Framework 5.3.x should be upgraded to 5.3.18+
• Spring Framework 5.2.x should be upgraded to 5.2.20+.
• Update affected versions of Spring Cloud Function to 3.1.7 and 3.2.3.

While every possible exploitation method has not been identified, the Ingalls SOC has implemented alerting and detections within our MDR client environments for predominant exploitation methods and will continue to monitor and update detections as new information becomes available.

Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock, MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact us for more information.