SpringShell Zero-Day Vulnerability - Emerging Threat Advisory
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted Jul 13, 2022 - 12:16 EDT
Monitoring
Posted Date: 04/01/2022
Published Date: 04/01/2022
Source: Known reputed Security Agencies/Reports/Articles
Sector: All – including Government agencies
Reported by: CyberKendra Security blog post
CVE: CVE-2022-22965, CVE-2022-22963, and CVE-2022-22950
DATE(S) ISSUED: 03/31/2021
SUBJECT: Known IOCs and facts about Spring4Shell zero-day vulnerability

OVERVIEW:
As the world's most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
Spring has released a security advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9. The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, and the spring-webmvc or spring-webflux dependencies.

THREAT INTELLIGENCE: Per recent updates on Bleeping Computer, the vulnerability is actively being exploited in attacks – targets are unknown now.

SYSTEMS AFFECTED:
• JDK version 9 and beyond
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc and spring-webflux dependency
• Spring Cloud function versions 3.1.6, 3.2.2
• Spring Framework
o 5.3.0 to 5.3.17
o 5.2.0 to 5.2.19
o Older, unsupported versions are also affected

RISK:
Government and their entities: High Impact
Businesses and their entities: High Impact

TECHNICAL SUMMARY:
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Unfortunately, two other Spring CVEs were released simultaneously as SpringShell (CVE-2022-22965), which caused a lot of confusion.
These two additional CVEs are not related to SpringShell, and each of them should be handled separately from SpringShell.

• CVE-2022-22963 is a critical-severity RCE issue (reported initially as a medium-severity issue) in Spring Cloud Function. This is a very severe issue, but Spring Cloud Function is less widespread than Spring Framework.
• CVE-2022-22950 is a medium-severity DoS issue in Spring Framework.

CyFlare is continuously monitoring and updating the known IOCs in order to fetch updated information on the threat and any potential mitigation techniques.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions. Those are described in the early announcement blog post, listed under the Resources section. Releases that have fixed this issue include:
o Spring Framework
 5.3.18+
 5.2.20+
• Potential IOCs:
o HTTP POST request with exploit code as payload in the data section.
o The following filenames would store the web shell contents on the server in the event of successful exploitation:
 0xd0m7.jsp
 myshell.jsp
 shell.jsp (far too general – not very conclusive)
 tomcatwar.jsp
 wpz.jsp

REFERENCES:
https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
https://portswigger.net/daily-swig/spring4shell-spring-users-face-new-zero-day-vulnerability
https://www.bleepingcomputer.com/news/security/new-spring-java-framework-zero-day-allows-remote-code-execution/
Posted Apr 01, 2022 - 18:06 EDT
This incident affected: Breach Detection Service.