Spring Framework vulnerability CVE-2022-22965 (Spring4shell)

On March 31, 2022, a fatal vulnerability was confirmed in Spring Framework, and a fixed version was released.?Here is a summary of related information.

1. 1.?What happened?

• A vulnerability (CVE-2022-22965) that allows remote code execution in Spring MVC and Spring WebFlux running on JDK 9 or higher has been confirmed.?Spring4shell or SpringShell is used as a common name for the vulnerability.
• Since the Spring Framework is one of the mainstream frameworks adopted in Java, it may be used in web applications running in Java.
• Exploit code for the vulnerability is in circulation as of March 31, 2022, and related Internet activity has already been reported.

2. 2.?What happens when a vulnerability is exploited?

• If the vulnerability is exploited, arbitrary code execution may be performed remotely, which may be affected by theft of confidential information or the sneaking of the server.

3. 3.?What are the affected conditions?

If all of the following conditions are met, it may be affected by the vulnerability.

• The environment to be executed is JDK9 or higher
• Use the affected Srping Framework version
• Use Apache Tomcat as a Servlet container
• Packaged as a WAR file
• Dependent with spring-webmvc or spring-weblux

These conditions are as of March 31, 2022.?Please refer to the official latest information as new methods of exploiting vulnerabilities may be confirmed in future verifications and evaluations.

Affected version

• Older versions that are no longer supported are also affected

Environment to pay particular attention to

If any of the following applies to the environment that meets the conditions, it is possible that you have already been attacked, and we strongly recommend that you take measures that include effects other than patch application (whether or not there is infringement, etc.).

• Do not use security measures products such as WAF
• It is open to the public on the Internet and can be easily accessed by a third party.

4.?How should I deal with the vulnerability?

Since it is a highly urgent vulnerability, it is recommended to take measures to mitigate the impact of the attack in parallel (or priority) with detailed understanding.

1. Evaluate whether risk acceptance is possible in Web applications that use Java, and take mitigation measures (restriction of outbound communication, temporary server shutdown, etc.) as necessary.
2. Identify the affected assets (contact stakeholders).?If affected, promptly evaluate the impact and take appropriate measures (update to the latest version is strongly recommended).
3. Check if there is any impact from the attack along with updating the software.?(Check if it is properly processed by the team in charge such as SOC.)

Correspondence ① Update to the latest version

• Update to the version corresponding to the vulnerability.

• If you are using Spring Boot, update to the version that supports the vulnerability because it depends on Spring Framework 5.3.18.

Countermeasure (2) Applying workarounds

• If the latest version cannot be used immediately, such as when the update cannot be performed immediately, the response?@ControllerAdviceby changing the settings (?WebDataBinderadding a field pattern that can be abused to the blacklist) is introduced.
• Spring's security advisory (reference information) points out that this workaround may result in omissions, and also describes a more reliable response.

5.?Has it been abused already?

• Piyokango has not yet confirmed a specific damage report as of March 31, 2021.
• There are reports of vulnerability-related scanning activity from multiple observations.
• https://isc.sans.edu/ipinfo.html?ip=103.214.146.5
• https://twitter.com/kinyuka/status/1509327369638612993
• https://twitter.com/bad_packets/status/1509603994166956049
• https://twitter.com/GreyNoiseIO/status/1509569701248217088