The information technology and cybersecurity communities are still assessing the impact of Spring4Shell, a remote code execution vulnerability recently disclosed in the Spring Framework for Java that could allow for remote code execution in vulnerable installations.
While exploit attempts have not yet been widespread, there is a simmering concern that this bug could be nearly as impactful as the Log4j 2 vulnerabilities since the Spring Framework is the most used lightweight open-source framework for Java.
Based on public blog posts and analysis, here is what we know so far.
What is Spring4Shell?
Spring4Shell, tracked as CVE-2022-22965, is a remote code execution (RCE) vulnerability in the Spring Framework for Java that impacts Spring MVC and Spring WebFlux applications running on Java Development Kit 9.0 or later.
According to Microsoft, the bug allows remote attackers to obtain an AccessLogValve object through the frameworks’ parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path if certain conditions are met.
The vulnerability in Spring Core can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework, the IT giant says.
According to Spring, the bug was leaked ahead of CVE publication and was first reported to VMware late on March 29.
VMware says the bug bypasses a patch for a 2010 bug that causes it to be exploitable again because JDK 9 and later provide two sandbox restriction methods that provide a path to exploit the bug (CVE-2010-16220).
Who is impacted?
According to multiple sources, the vulnerability requires these traits:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
- Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted
- Tomcat has spring-webmvcor spring-webflux dependencies
Is Spring4Shell being actively exploited?
So far, the IT and cybersecurity communities are not reporting widespread exploitation of Spring4Shell. Microsoft says it has been tracking a “low volume” of exploit attempts across its cloud services.
How do we mitigate Spring4Shell?
Patches have been released, and by upgrading to Spring Framework 5.3.18 and 5.2.20, the bug will be fixed.
There are also workarounds for Spring4Shell, which include upgrading Tomcat, downgrading to Java 8 or by disabling binding to particular fields by setting disallowedFields on WebDataBinder globally.
Read this Spring blog to learn more about patches and workarounds.
VMware released its own advisory for the bug, giving it a CVSS score of 9.8 and saying 10 Tanzu products are vulnerable to the exploit, including different versions of VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition.
As of Tuesday, April 5, patches for seven of those products have been released.
Read VMware’s advisory for more information on patching and workarounds.
What products are vulnerable?
In addition to VMware, Cisco, NetApp, Red Hat and others are affected, according to the CERT Coordination Center. The NCSC-NL also compiled a list of products and their vulnerability status on GitHub.
What about CVE CVE-2022-22963?
CVE-2022-22963 is a remote code execution flaw in Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions. A user providing a specially crafted SPEL as a routing expression could result in remote code execution and access to local resources, according to VMware.
To fix this, users should upgrade to 3.1.7 or 3.2.3.
There was confusion between this bug and Spring4Shell, but it is unrelated. However, users should still patch this immediately.
Where can I learn more?
Microsoft published a detailed blog on Spring4Shell, including how the exploit works and a proof of concept.
CISA issued this alert, which links to Spring blog posts that provide guidance for addressing both vulnerabilities as well as VMware’s Tanzu bug report.