XenonStack Recommends

Security Intelligence

Spring4shell : A Critical Vulnerability in Spring Java Framework

Parveen Bhandari | 22 August 2022

Spring4shell Vulnerability

What is Spring4shell Vulnerability?

Spring 4 Shell is a remote code execution (RCE, code injection) vulnerability in Spring Core exploited via data binding. The attacker can execute code from a remote source on the attacked victim by exploiting it. The Spring Framework (Spring) is an open-source application framework that supports the development of Java applications by providing infrastructure support.

Spring is one of the most widely used Java Enterprise Edition (Java EE) frameworks, allowing developers to design high-performing applications with simple Java objects (POJOs).

A critical vulnerability in the Spring Java framework was revealed on March 29, 2022. This vulnerability was initially misunderstood with CVE-2022-22963, a vulnerability in Spring Cloud. However, it was eventually discovered as a different Spring Core vulnerability, now known as CVE-2022-22965 and dubbed Spring4 Shell.

Impact of CVE-2022-22963

Because the parameter spring.cloud.function.routing-expression is not checked by the Cloud Function, an attacker can send arbitrary code to Spring Expression Language (SpEL) via an HTTP header named spring.cloud.function.routing-expression. The impact of this vulnerability is moderate in terms of ease of exploitation but low in terms of availability; it only affects services using Spring Cloud Function.

Impact of CVE-2022-22965

The Spring Framework vulnerability CVE-2022-22965 (Spring4Shell, SpringShell) leverages data binding features to connect data sent in an HTTP request to particular objects used by an application. The flaw is in the getCachedIntrospectionResults method, which can be leveraged to get unauthorized access to such objects by sending their class names over HTTP. When custom object classes are employed, there is a risk of data leakage and remote code execution. This issue is identical to CVE-2010-1622, which was fixed by adding class name checks to ensure that the name did not match the classLoader or the protectionDomain. An alternative technique for such exploitation exists in a newer version of JDK, for example, with Java 9 Platform Module System capabilities.

How is Spring4shell Vulnerability Exploited?

This vulnerability requires an endpoint with DataBinder enabled, automatically decoding data from the request body. An attacker could use the spring4 shell against a susceptible application if this property is set. The documentation for the spring framework class Data Binder warns about this.
Malicious customers can try to undermine an application by submitting value for fields or properties that do not exist on the form.

For Example, In HTTPS form, Post data could result in illegal data being placed on command objects or their nested objects in some instances. As a result, specifying the allowed fields property on the DataBinder is highly recommended."

For the Spring 4 Shell vulnerability, Those who use the following may be at Risk:

  • Java development kit 9 and higher.
  • Spring-Beans package
  • Spring parameter binding
  • Spring parameter binding using non-basic parameter types like POJOs.

How can we test for the Spring4shell Issue?

Apart from performing one of the PoC exploits, the Randori Attack Team developed a simple curl test for live testing endpoints.

-curl -s -o /dev/null-w”%(http_code)host:port/path?lass.module.classloader.URLs%5B0%5D=0

Your endpoint is most likely susceptible if the returned status code is "400."
It's worth noting that a status code other than "400" doesn't mean the endpoint isn't susceptible.
JFrog released an open-source tool for testing local codebases that searches compiled binary code for insecure web apps.

Cyber Security Services
End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

How can we fix the Spring4Shell Vulnerability?

You can fix the Vulnerability by following these steps

  • Upgrade to spring frameworks 5.3.18 and 5.2.20 is the most effective way to fix the spring4shell vulnerability.
  • There are a few workarounds that you can use if you cannot upgrade the spring Framework.
  • There are two options:
    • JDK version 8 should be downgraded.
    • Tomcat should be upgraded to version 10.0.20, 9.0.62, or 8.5.78.
  • Implement a block list within the application to prevent the susceptible functionality from being called.
  • Spring-web MVC or spring-web flux dependency

Conclusion

The Spring4Shell vulnerability is a high-impact flaw that attackers can easily exploit in production situations using vulnerable Spring versions. We addressed several detection and mitigation tactics for Spring4Shell vulnerability in this post.

 Explore more Critical Vulnerabilities and their Remediations