Skip to main content

Important Updates on Spring4Shell Vulnerability

April 2, 2022 Update: 

Arctic Wolf Releases Open Source Spring4Shell Deep Scan Tool to Support the Security Community 

Today Arctic Wolf is making “Spring4Shell Deep Scan” publicly available on GitHub.  

Spring4Shell Deep Scan Tool runs on Windows, Mac, and Linux systems and can identify known vulnerable versions of the Spring Framework Java class files running within nested JAR, WAR and EAR files. 

Download Spring4Shell Deep Scan 

The Arctic Wolf Spring4Shell Deep Scan Tool is delivered as a script that is a complement, not a replacement, to the other detection sources. This tool is similar to the Log4Shell Deep Scan Tool developed in response to the Log4Shell vulnerability disclosed in December 2021.  

On Monday, April 4, Arctic Wolf will host a short Linkedin Live webinar where we will demonstrate the Spring4Shell Deep Scan tool in action and answer the following questions: 

  • What is the Spring4Shell vulnerability? 
  • What is the difference between Log4Shell and Spring4Shell? 
  • Why Arctic Wolf developed the Spring4Shell Deep Scan Tool 
  • How to use Arctic Wolf’s Spring4Shell Deep Scan to help identify known vulnerable versions of the Spring Framework Java class files 

Register for the LinkedIn Live webinar: Using Arctic Wolf’s Spring4Shell Open-Source Deep Scan 

March 31, 2022 Update:  

On Thursday, March 31, 2022, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework initially reported Wednesday. In addition to the security advisory, Spring released patches addressing the vulnerability. The vulnerability, now assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacts not only Spring MVC but also Spring WebFlux applications running JDK 9+.   

Arctic Wolf has analyzed the published proof-of-concept exploit for Spring4Shell and has confirmed the exploit works against Java applications that leverage the Spring Framework and meet the following prerequisites:   

  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions  
  • Running JDK 9 or higher  
  • Apache Tomcat as the Servlet container  
  • Packaged as a WAR (in contrast to a Spring Boot executable jar)  
  • Java application with either the spring-webmvc or spring-webflux dependency  

Arctic Wolf is aware of limited scanning for potentially vulnerable applications.  

In addition to the security advisory released for Spring4Shell, Spring upgraded the severity of CVE-2022-22963 — an unrelated RCE vulnerability in Spring Cloud Function — from medium to critical on Thursday, March 31. If successfully exploited, the vulnerability could lead to remote code execution and access to local resources in Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions. We have observed multiple PoC exploits shared publicly. 

Recommendations 

Recommendation #1: Apply Updates for Spring Framework to Relevant Systems 

For organizations with their own in-house built Java applications, we recommend checking if the Spring Framework is used and then applying the latest Spring Framework updates and re-deploying the application. This is the only way to remediate CVE-2022-22965. 

Vulnerable Version

Upgrade to

 5.3.x

 5.3.18+

 5.2.x

 5.2.20+

 

Recommendation #2: Apply Updates for Spring Cloud Function 

We recommend applying the latest security updates for Spring Cloud Function due to the potential for remote code execution. Note: CVE-2022-22963 is a separate vulnerability from Spring4Shell. 

Vulnerable Version

Upgrade to

 3.1.6

 3.1.7

 3.2.2

 3.2.3

 

Original Post - March 31, 2022

In December 2021, the cybersecurity industry was made aware of CVE-2021-44228, known as Log4Shell, a novel vulnerability in a commonly found software component called Java Log4j. Arctic Wolf extensively covered the Log4Shell vulnerability and gave updates as it got involved.

Today, On March 30, 2022, Arctic Wolf became aware of claims made by the security blog “cyberkendra.com” of a zero-day vulnerability in a popular open-source Java framework called Spring Model-View-Controller (MVC) that could potentially lead to unauthenticated remote code execution (RCE). Spring MVC allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications. Spring Framework and derived framework spring -beans-*.jar files or CachedIntrospectionResults.class

There is no CVE ID for this vulnerability, but it may be called “Spring4Shell” due to the similarities to the Log4Shell vulnerability.

At this point, there are no known patches currently being made available.

What is recommended is organizations review planning and contingencies for rapid identification of assets and patching should a CVE be confirmed.

Spring4Shell Vulnerability Investigation and Response is Ongoing

Arctic Wolf Security Researchers are actively investigating POC exploit code that was made available recently and was claimed to trigger the vulnerability.

There is much yet to be discovered about the Spring4Shell vulnerability and its full impact. As the situation evolves, Arctic Wolf will continue to work alongside customers to mitigate any risks and threats as they become known. 

This is a fast-evolving and complicated process, and many companies lack the team or resources to act quickly and mitigate their risks. Arctic Wolf’s Concierge Security Team continues to provide comprehensive threat defense as well as hunt for adversarial activities and deploy new detections on a rapid and continuous basis—advancing security operations and keeping our customers protected.

This blog article will include updates as they become available.

References

 

About the Author

The Arctic Wolf Threat Research Team actively investigates attacks and vulnerabilities to help our customers detect, mitigate, and respond to them, as well as increase their cybersecurity awareness.

Profile Photo of Arctic Wolf Threat Research