How can we help?
A pair of critical remote code execution (RCE) vulnerabilities have been reported in Java’s Spring Framework, which is widely used by Java developers to speed up development.
Spring Core is an open source framework for developing Java applications. The vulnerability in the Spring Core library (CVE-2022-22965) has been given the name Spring4Shell. This impacts Spring MVC and Spring WebFlux applications running on JDK 9+. This exploit requires the application to run on Tomcat as a WAR deployment, which is not the default state. That said, there may be other unknown ways to exploit it.
This is not to be confused with the RCE vulnerability in Spring Cloud (CVE-2022-22963), which is a library for running microservices in the cloud. This one is very exploitable but requires such a specific version of Spring Cloud Function that the number of installations affected is likely to be very low.
Both vulnerabilities have publicly-available exploit code and patches are now available for both.
An unauthenticated attacker could execute code on an affected system.
Detecting Spring Cloud
A script with an example of the exploit has been published on GitHub
Check the JDK version
If the JDK version is below 9 then the install is not affected.
Check if Spring Framework is being used
Unzip the .war file.
Search for a jar file named `spring-beans-*.jar` (where star is a version number).
If the spring-beans-*.jar file does not exist, search for the existence of a file called `CachedIntrospectionResuLts.class`.
Either of these indicates usage of Spring Framework.
The vulnerability in Spring Cloud affects versions 3.1.6, 3.2.2 and older unsupported versions.
The vulnerability in Spring Core affects anything on JDK version 9 and above using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
Containment, Mitigations & Remediations
Spring Cloud users should upgrade to 3.1.7 or 3.2.3.
Spring Core users should upgrade to 5.3.18 and 5.2.20, but Spring have published some mitigations on their website where this is not practical.
Indicators of Compromise
The similarity in names has meant that a lot of reports combine the two vulnerabilities and exploits, which leads to a sense of confusion and greater exposure. This isn’t to downplay the seriousness of vulnerabilities with exploits and public-facing applications, however, unless the exploits develop further it is not as likely to have as great an impact or targeting as Log4J/Log4Shell did earlier in the year.
Exploit Public-Facing Application- T1190