Spring4Shell: new zero-day discovered - ISH Technology
ZERO-DAY

Spring4Shell: New zero-day discovered

Spring-core is a framework widely used in Java applications that allows software developers to develop Java applications with enterprise-grade components. A new vulnerability affecting this product has been identified and exploits and proofs of concept exploiting it are already available on the internet.

SRING4SHELL - CVE-2022-22965

"Spring4Shell" or "SpringShell" is a vulnerability in the Spring framework , published on March 30, 2022, being a zero-day or zero-day vulnerability that allows remote code execution - Remote Code Execution (RCE). Exploitation of this vulnerability depends on an endpoint with DataBinder enabled, which decodes the request body data automatically. This property can allow an attacker to leverage Spring4Shell against a vulnerable application.

Requirements for exploiting the vulnerability:

  • JDK 9 or higher;
  • Apache Tomcat as the Servlet container;
  • Packaged as a traditional WAR (as opposed to a Spring Boot executable jar);
  • Dependency spring-webmvc or spring-webflux;
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older versions.

Conclusion

When faced with a vulnerability that has not yet been patched, it is recommended to follow the instructions provided by the manufacturer as a way to temporarily mitigate the vulnerability.

Step by step

Step 1

Search in the application group globally for the note @InitBinder and see if the dataBinder.setDisallowedFields is called within the method. If this code snippet is found, add { "class.", "Class.", ".class.", ".Class."} to the original block list. (Note: if this piece of code is used more frequently, it will need to be added at each location).

Step 2

Create the following global class in the project package and make sure that the class is loaded by Spring (we recommend adding it to the package where the Controller is located). After adding the class, you need to recompile, generate a new project package, check the functionality and republish the project.

The recommendations given by Spring and other details can be found in the following links:

About Spring Core Spring Beans Remote Code Warning Notice for Execution 0day Vulnerability

Spring Framework RCE

References

  1. Qualys Blog
  2. Spring.io
Tags: , , ,

Leave a Comment

Your e-mail address will not be published. Required fields are marked with *

Copyright © 2022 ISH Tecnologia, All Rights Reserved.