spring4shell

April 4, 2022

Critical vulnerability in Spring Java framework Spring4shell and how to protect yourself?

he most popular Java framework Spring boot used to create server side apps, appears to be vulnerable to RCE.

RCE is a type of cyberattack that allows an attacker to execute arbitrary code on a remote machine or in a remote process. RCE attacks are often used to take control of a machine or process, and can lead to serious consequences, such as data breaches, data loss, and system downtime.

The vulnerability was found after a set of Tweets showing a new POC exploit on the JAVA library Spring Core.
Immediately referred to as “Spring4Shell” by users online.
On march 31st 2022 the vulnerability named CVE-2022-22965 was added.

Table of Contents

You certainly ask yourself are you vulnerable?

The Spring Versions 5.3.0 to 5.3.17 and 5.2 to 5.2.19 running on JDK9+ are vulnerable. The following code can help you check your library’s version.

import org.springframework.boot.system.JavaVersion;
import org.springframework.boot.system.SystemProperties;
import org.springframework.core.SpringVersion;

public class Application {

	public static void main(String[] args) {
		System.out.println("Spring version: "+getSpringVersion() +" "+ "\nJava Version: "+ getJavaVersion()+" "+ "\nJDKVersion: "+ getJdkVersion());
	
	}
	public static  String getSpringVersion() {
        return SpringVersion.getVersion();
    }
    
    public static  String getJavaVersion() {
        return JavaVersion.getJavaVersion().toString();
    }
    
    public static  String getJdkVersion() {
        return SystemProperties.get("java.version");

    }
}

During the test, we used the new version of Spring framework, this is the output of the code:

Spring version: 5.3.18
Java Version: 11
JDKVersion: 11.0.14.1

Actually, it seems that web applications running as standalone apps are not vulnerable to RCE at this moment. However, it’s quite possible that there are more yet unknown ways of exploitation of the very same vulnerability that can be exploited in some other way. So you should still update your library in order to reduce the risk of exploitation.

In comparison with Log4shell, the Spring4shell vulnerability is not as bad. To exploit it requires deep knowledge of Java, and to leverage a POC is more complex. On the other hand, the vulnerability affected 93% of enterprise cloud environments, and an exploit could be written in a couple of seconds.

What makes this vulnerability more dangerous than others?

The vulnerability reported to VMware on Tuesday night allows an attacker to remotely execute malicious code. Its severity is 9.8 out of 10, according to the CVSS v3.0 calculator.

The exploit was published on GitHub Wednesday, but quickly removed. However, it was noticed by security experts who confirmed the danger of the vulnerability. The Spring framework is quite popular among Java developers, which means that potentially many applications could be vulnerable. According to a post by Bleeping Computer, the vulnerability is already being actively exploited in the wild.

How to protect yourself?

If you use the Spring framework, it’s advised to upgrade to versions 5.3.18 or 5.2.20. The Apache Software Foundation has also released patched versions of Apache Tomcat 10.0.20, 9.0.62, and 8.5.78, which close the attack vector on the Tomcat side. The Spring developers have also released patched versions of the Spring Boot 2.5.12 and 2 .6.6 extensions, which depend on the patched version of Spring Framework 5.3.18.