The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On 30th March 2022, a zero-day vulnerability was discovered in the Spring Core module of the Spring Framework. Spring4Shell is a remote code execution (RCE) via deserialization vulnerability found in Spring Core on JDK9+.
We updated this blog post on April 6th, 2022, and added vendor-specific actionable mitigation signatures.
The vulnerability received the CVE number CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Users are advised to apply the patches to update the Spring Framework to version 5.3.18 or 5.2.20. Since many Tomcat applications are vulnerable to Spring4Shell attacks, it is also advised to update the Tomcat to version 10.0.20, 9.0.62, or 8.5.78.
Picus Labs has updated the Picus Threat Library with attack simulations for Spring4Shell vulnerability exploitation attacks affecting Spring Core with the JDK version 9 or higher.
Start a 14-Day Free Trial of the Picus Platform
What is Spring4Shell Remote Code Execution Vulnerability?
The Spring framework is one of the most popular frameworks in the Java ecosystem. Remote code execution vulnerability in Spring Core with the JDK version 9 or higher is caused by unsafe deserialization of passed arguments. The vulnerability is named Spring4Shell due to its similarities to Log4Shell, an RCE vulnerability found in Apache Log4j that resulted in mass exploitation in December 2021.
Spring4Shell vulnerability allows attackers to bypass the incomplete patch for the CVE-2010-1622, a 12-year old code injection vulnerability found in the Spring Core Framework. Spring4Shell is limited to the Spring Framework with certain configurations, and it does not affect every Spring installation. The Spring documentation clearly states that misconfiguring DataBinder functionality may adversely affect security. The current proof of concepts shows that exploitation requires endpoints with DataBinder functionality enabled. The vulnerability is also called CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). Spring Framework should be updated to version 5.3.18 or 5.2.20. Also, updating Tomcat to version 10.0.20, 9.0.62, or 8.5.78 is advised to prevent Spring4Shell attacks.
A different RCE vulnerability (CVE-2022-22963) in the Spring Cloud and a DoS vulnerability (CVE-2022-22950) in the Spring framework confused the security community. However, Spring4Shell and these two vulnerabilities are not related.
How to Mitigate Spring4Shell RCE Vulnerability?
Spring4Shell vulnerability enables remote code executions on systems running vulnerable Spring Core versions under certain configurations. Organizations can modify their source code of custom Spring applications and mitigate potential cyber-attacks; however, this mitigation method may not be applicable to third-party applications.
Web Application Firewall (WAF) may be used to mitigate Spring4Shell attacks by deploying a WAF rule that analyzes requests containing “classLoader”. Note that this approach is a short-term solution until a remediating patch is released.
How Picus Helps Simulate Spring4Shell Vulnerability Exploits?
Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods. Picus Labs advises you to simulate Spring4Shell vulnerability exploitation attack and determine the effectiveness of your security controls against it.
Threat Name |
Spring Framework RCE (Spring4Shell) Vulnerability |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2022-22965 Spring4Shell vulnerability exploitation attacks in preventive security controls. A sample signature is given below:
Security Control |
Signature IDs |
Signature Name |
Check Point NGFW |
asm_dynamic_prop_AMSN20140307_09 |
Apache Struts ParametersInterceptor ClassLoader Security Bypass |
Check Point NGFW |
Spring Core Remote Code Execution (CVE-2022-22965) |
|
Citrix Web App Firewall |
999004 |
WEB-MISC Spring4Shell Spring Core Framework - RCE Vulnerability (CVE-2022-22965) |
Forcepoint NGFW |
HTTP_CRL-Spring-Core-Remote-Code-Execution |
|
FortiWeb Web Application Security |
90501439 |
Known Exploits |
FortiWeb Web Application Security |
50170001 |
Generic Attacks |
FortiWeb Web Application Security |
60050053 |
Generic Attacks(Extended) |
FortiGate NGFW |
51352 |
Spring.Framework.SerializationUtils.Insecure.Deserialization |
Palo Alto Networks NGFW |
92393 |
Spring Core Remote Code Execution Vulnerability |
Palo Alto Networks NGFW |
92394 |
Spring Core Remote Code Execution Vulnerability |
Snort IPS |
30790 30791 30792 30793 |
SERVER-WEBAPP Java ClassLoader access attempt |
Snort IPS |
59416 |
SERVER-WEBAPP Java getRuntime remote code execution attempt |
Cisco Firepower NGFW |
30790 30791 30792 30793 |
SERVER-WEBAPP Java ClassLoader access attempt |
Cisco Firepower NGFW |
59416 |
SERVER-WEBAPP Java getRuntime remote code execution attempt |
F5 BIG-IP ASM |
200104796 |
Java code injection - class.module.classLoader.resources.context.parent.pipeline (Parameter) |
F5 BIG-IP ASM |
200104799 |
Spring Boot template JSP tag injection |
F5 BIG-IP ASM |
200104797 |
Java code injection - class.module.classLoader.resources.context.parent.pipeline |
F5 BIG-IP ASM |
200104263 |
Java code injection - java.io |
ModSecurity |
944130 |
suspicious Java class detected |
ModSecurity |
944250 |
Remote Command Execution: Suspicious Java method detected |
TippingPoint TPS |
13894 |
HTTP: Apache Struts 2 ClassLoader Security Bypass Vulnerability |