April 2, 2022 Update:
Arctic Wolf Releases Open Source Spring4Shell Deep Scan Tool to Support the Security Community
Today Arctic Wolf is making “Spring4Shell Deep Scan” publicly available on GitHub.
Spring4Shell Deep Scan Tool runs on Windows, Mac, and Linux systems and can identify known vulnerable versions of the Spring Framework Java class files running within nested JAR, WAR and EAR files.
The Arctic Wolf Spring4Shell Deep Scan Tool is delivered as a script that is a complement, not a replacement, to the other detection sources. This tool is similar to the Log4Shell Deep Scan Tool developed in response to the Log4Shell vulnerability disclosed in December 2021.
On Monday, April 4, Arctic Wolf will host a short Linkedin Live webinar where we will demonstrate the Spring4Shell Deep Scan tool in action and answer the following questions:
- What is the Spring4Shell vulnerability?
- What is the difference between Log4Shell and Spring4Shell?
- Why Arctic Wolf developed the Spring4Shell Deep Scan Tool
- How to use Arctic Wolf’s Spring4Shell Deep Scan to help identify known vulnerable versions of the Spring Framework Java class files
March 31, 2022 Update:
On Thursday, March 31, 2022, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework initially reported Wednesday. In addition to the security advisory, Spring released patches addressing the vulnerability. The vulnerability, now assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacts not only Spring MVC but also Spring WebFlux applications running JDK 9+.
Arctic Wolf has analyzed the published proof-of-concept exploit for Spring4Shell and has confirmed the exploit works against Java applications that leverage the Spring Framework and meet the following prerequisites:
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Running JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a WAR (in contrast to a Spring Boot executable jar)
- Java application with either the spring-webmvc or spring-webflux dependency
Arctic Wolf is aware of limited scanning for potentially vulnerable applications.
In addition to the security advisory released for Spring4Shell, Spring upgraded the severity of CVE-2022-22963 — an unrelated RCE vulnerability in Spring Cloud Function — from medium to critical on Thursday, March 31. If successfully exploited, the vulnerability could lead to remote code execution and access to local resources in Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions. We have observed multiple PoC exploits shared publicly.
Recommendation #1: Apply Updates for Spring Framework to Relevant Systems
For organizations with their own in-house built Java applications, we recommend checking if the Spring Framework is used and then applying the latest Spring Framework updates and re-deploying the application. This is the only way to remediate CVE-2022-22965.
Recommendation #2: Apply Updates for Spring Cloud Function
We recommend applying the latest security updates for Spring Cloud Function due to the potential for remote code execution. Note: CVE-2022-22963 is a separate vulnerability from Spring4Shell.
Original Post – March 31, 2022
In December 2021, the cybersecurity industry was made aware of CVE-2021-44228, known as Log4Shell, a novel vulnerability in a commonly found software component called Java Log4j. Arctic Wolf extensively covered the Log4Shell vulnerability and gave updates as it got involved.
Today, On March 30, 2022, Arctic Wolf became aware of claims made by the security blog “cyberkendra.com” of a zero-day vulnerability in a popular open-source Java framework called Spring Model-View-Controller (MVC) that could potentially lead to unauthenticated remote code execution (RCE). Spring MVC allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications. Spring Framework and derived framework spring -beans-*.jar files or CachedIntrospectionResults.class
There is no CVE ID for this vulnerability, but it may be called “Spring4Shell” due to the similarities to the Log4Shell vulnerability.
At this point, there are no known patches currently being made available.
What is recommended is organizations review planning and contingencies for rapid identification of assets and patching should a CVE be confirmed.
Spring4Shell Vulnerability Investigation and Response is Ongoing
Arctic Wolf Security Researchers are actively investigating POC exploit code that was made available recently and was claimed to trigger the vulnerability.
There is much yet to be discovered about the Spring4Shell vulnerability and its full impact. As the situation evolves, Arctic Wolf will continue to work alongside customers to mitigate any risks and threats as they become known.
This is a fast-evolving and complicated process, and many companies lack the team or resources to act quickly and mitigate their risks. Arctic Wolf’s Concierge Security Team continues to provide comprehensive threat defense as well as hunt for adversarial activities and deploy new detections on a rapid and continuous basis—advancing security operations and keeping our customers protected.
This blog article will include updates as they become available.
- Cyber Kendra article providing some unconfirmed details around possible zero-day Spring4Shell RCE:
- Complete Spring Framework Reference:
- CVE-2022-22965 Security Advisory: https://tanzu.vmware.com/security/cve-2022-22965
- Spring Framework Announcement: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- Spring Documentation: https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html
- CVE-2022-22963 Security Advisory: https://tanzu.vmware.com/security/cve-2022-22963
- Cyber Kendra Blog Post: https://www.cyberkendra.com/2022/03/spring4shell-spring-confirmed-rce-in.html