Main Article

A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell' has been publicly disclosed, allowing unauthenticated remote code execution on applications.

Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.

Yesterday, a new Spring Cloud Function vulnerability tracked as CVE-2022-22963 was disclosed, with Proof-of-Concept exploits soon to follow.

However, information about a more critical Spring Core remote code execution vulnerability was later circulating on the QQ chat service and a Chinese cybersecurity site.

This new Spring RCE vulnerability, now dubbed as Spring4Shell, only affects Spring applications running on Java 9 and above and is caused by unsafe deserialization of passed arguments.

Today, an exploit for this zero-day vulnerability was briefly leaked and then removed but not before cybersecurity researchers could download the code.

Since then, numerous cybersecurity researchers and security firms have confirmed that the vulnerability is valid and of significant concern.

Jang twee

Alvaro tweet

Cybersecurity firm Praetorian also confirmed the bug but said it relies on specific configurations to exploit it properly.

"Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application," Praetorian explained in a blog post.

"For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk."

"However, if Spring is deployed using the Embedded Tomcat Servlet Container the classloader is a LaunchedURLClassLoader which has limited access."

"In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted POST request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective."

However, researchers have told BleepingComputer that Spring is commonly used with Apache Tomcat, meaning that there is great potential for widespread abuse.

To make matters worse, there are reports that the Spring4Shell vulnerability may already be actively exploited in attacks, according to advisories from the China CERT.

Colin tweet

Praetorian's blog post describes a way to partially mitigate Spring4Shell attacks by disallowing specific 'patterns' to be passed to the Spring Core DataBinder functionality.

As this vulnerability does not currently have a patch, it is strongly advised that admins using Spring applications deploy these mitigations as soon as possible.

Is this the new Log4Shell?

Spring is a very popular application framework for Java applications, raising significant concerns that this may lead to widespread attacks as threat actors scan for vulnerable apps.

As exploitation requires a simple HTTP POST to a vulnerable app, threat actors will be able to create scripts that scan the Internet and automatically exploit vulnerable servers.

Threat actors can use these exploits to execute commands on the server, which will allow full remote access to the device.

This attack scenario is reminiscent of what we saw in December with the mass exploitation of Log4j servers using the Log4Shell exploits to install malware and conduct ransomware attacks.

To prevent this scenario from coming true, it is strongly advised that admin apply the mitigations provided by Praetorian as soon as possible.