Critical Alert: Spring Core(SpringShell) Remote Code Execution Vulnerability Exploited In The Wild

The Spring Framework is an application framework and inversion of the control container for the Java platform developed by VMware. CVE-2022-22965 affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protections in the library’s HTTP request parser, leading to remote code execution. Multiple proof of concepts (POCs) have been published and are being used for active exploitation. The vulnerability is called “Spring4Shell” or “SpringShell”.

 

 

The developers of Spring have stated that for successful exploitation to happen, the following conditions have to be met:

 

Spring MVC and Spring WebFlux applications running on Java version JDK9+
The applications are running on Tomcat as a WAR deployment
While the above two conditions are what’s required, the scope of the exploit is more general. This implies that there is a chance for other exploit vectors to be present.

Impact

A malicious user could exploit this Remote Code Execution vulnerability to gain unauthorized access to the server, steal user data, and cause undesirable side effects on the vulnerable machine.

Affected Products

Spring Framework versions 5.3.0 to 5.3.17 and versions 5.2.0 to 5.2.19

Solution

The Spring Developers have released the security update for this vulnerability in versions 5.2.20+ and 5.3.18+. It is recommended that all users upgrade to the latest applicable patched versions ASAP. For users who cannot upgrade their Spring framework, the developers have suggested the following workarounds:

  • Upgrading Tomcat

    Provides adequate protection, but is only a temporary fix until users upgrade their Spring Frameworks.

  • Downgrading to Java 8

    Internal research has shown that this mitigation provides no guaranteed results. If users opt for this, it is suggested to check for the vulnerability once Java 8 is up and running.

  • Set disallowed Fields

    Set disallowedFields on WebDataBinder globally. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular, if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting

error: Content is protected !!