Posted Date: 04/01/2022 Published Date: 04/01/2022 Source: Known reputed Security Agencies/Reports/Articles Sector: All – including Government agencies Reported by: CyberKendra Security blog post CVE: CVE-2022-22965, CVE-2022-22963, and CVE-2022-22950 DATE(S) ISSUED: 03/31/2021 SUBJECT: Known IOCs and facts about Spring4Shell zero-day vulnerability
OVERVIEW: As the world's most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications. Spring has released a security advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9. The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, and the spring-webmvc or spring-webflux dependencies.
THREAT INTELLIGENCE: Per recent updates on Bleeping Computer, the vulnerability is actively being exploited in attacks – targets are unknown now.
SYSTEMS AFFECTED: • JDK version 9 and beyond • Apache Tomcat as the Servlet container • Packaged as WAR • spring-webmvc and spring-webflux dependency • Spring Cloud function versions 3.1.6, 3.2.2 • Spring Framework o 5.3.0 to 5.3.17 o 5.2.0 to 5.2.19 o Older, unsupported versions are also affected
RISK: Government and their entities: High Impact Businesses and their entities: High Impact
TECHNICAL SUMMARY: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Unfortunately, two other Spring CVEs were released simultaneously as SpringShell (CVE-2022-22965), which caused a lot of confusion. These two additional CVEs are not related to SpringShell, and each of them should be handled separately from SpringShell.
• CVE-2022-22963 is a critical-severity RCE issue (reported initially as a medium-severity issue) in Spring Cloud Function. This is a very severe issue, but Spring Cloud Function is less widespread than Spring Framework. • CVE-2022-22950 is a medium-severity DoS issue in Spring Framework.
CyFlare is continuously monitoring and updating the known IOCs in order to fetch updated information on the threat and any potential mitigation techniques.
RECOMMENDATIONS: We recommend the following actions be taken: • Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions. Those are described in the early announcement blog post, listed under the Resources section. Releases that have fixed this issue include: o Spring Framework 5.3.18+ 5.2.20+ • Potential IOCs: o HTTP POST request with exploit code as payload in the data section. o The following filenames would store the web shell contents on the server in the event of successful exploitation: 0xd0m7.jsp myshell.jsp shell.jsp (far too general – not very conclusive) tomcatwar.jsp wpz.jsp