What is ‘Spring’?
The Spring Framework is an open-source application framework that provides infrastructure support for developing Java applications. A framework is a large body of predefined code to which developers can add code to solve a problem in a specific domain.
Vulnerability Overview
CVE-2022-22963 (CVSS 9.8 (Unofficial) – Critical) – Remote code execution in Spring Cloud Function by malicious Spring Expression
A Critical severity vulnerability impacting multiple versions impacts Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions was disclosed publicly on March 28th.
In Spring 3.1.6, 3.2.2 and older version when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
CVE-2022-22965 (CVSS – 8.1 – High) – Spring Framework RCE via Data Binding on JDK 9+ “Spring4Shell”
A High severity vulnerability was responsibly reported to VMware on 29th March. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Spring Framework version 5.3.0 to 5.3.17 & 5.2.0 to 5.2.19 are reported as being vulnerable. Older, unsupported versions are also affected.
It is worth noting that certain prerequisites are required to benefit from Spring4Shell. That is, the code needs to be exploitable. For the Spring4Shell vulnerability, those who use the following may be at risk:
- Java Development Kit 9 and higher
- Spring-Beans package
- Spring parameter binding
- Spring parameter binding using non-basic parameter types like POJOs
Recommendation – Prevention
- Apply appropriate vendor patches
- (CVE-2022-22965) If you’re using the Spring Framework, upgrade to versions 5.3.18+ and 5.2.20+.
- (CVE-2022-22963) If you’re using the Spring Cloud Function library, you must upgrade to 3.1.7+ or 3.2.3+ to prevent an RCE attack.
- Ensure NGEN Firewall / IPS has appropriate signatures
- Ensure EPP/EDR policies are set to block all types of malware from executing
Spring has released a critical update for its system in the wake of vulnerability being discovered. Cybersecurity company Praetorian has also issued advice to technical teams to help them spot and block dangerous code.
Recommendation – Detection
For those hosting applications using Spring, you can detect this vulnerability by:
- Performing vulnerability scanning on your environment, prioritizing the network perimeter
- Monitoring and performing threat hunting activities
For application developers you can detect this vulnerability at three different phases of the application lifecycle:
- Build Process: Use and image scanner to analyze contents and build processes of a container in order to detect security issues, vulnerabilities, or bad practices.
- Deployment Process: Implementing image scanning on the admission controller, it is possible to admit only the workload images that are compliant with the scanning policy to run in the cluster
- Runtime Process: Using a Runtime detection engine tool like Falco, you can detect attacks that occur in runtime when your containers are already in production.
If you believe you are affected or vulnerable based on the criteria above, consider shutting down a service if it is exposed to the internet, and follow our recommended prevention actions.
For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices, where applicable.
A list of indicators of compromise has been added to all Ward SIEM tenancies to detect threat activity. This is being updated as more are published.
If you would like additional information or would like support in assessing and protecting your environment:
For managed services customers, they can contact our service desk via https://servicedesk.ward.ie or by phone:
- NOC – 01 6420102
- SOC – 01 6420127
or alternatively for those with formal support agreements contact your account manager, as appropriate.
Please share this information with any other IT professionals that you are working with.
Further Reading:
- https://tanzu.vmware.com/security/cve-2022-22963
- https://tanzu.vmware.com/security/cve-2022-22965
- https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
- https://threatpost.com/critical-rce-bug-spring-log4shell/179173/
- https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
- https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html
- https://www.darkreading.com/application-security/zero-day-vulnerability-discovered-in-java-spring-framework
- https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability
- https://www.securityweek.com/spring4shell-spring-flaws-lead-confusion-concerns-new-log4shell-threat
- https://www.computerweekly.com/news/252515360/Spring4Shell-zero-day-sprung-on-security-teams
- https://techmonitor.ai/technology/cybersecurity/spring4shell-vulnerability-log4j-log4shell
- https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring4shell-zero-day-rce-vulnerability/
- https://www.contrastsecurity.com/security-influencers/new-spring4shell-vulnerability-confirmed-what-it-is-and-how-to-be-prepared