The Rite of Spring4Shell - Threatwire
Added 2022-04-13 17:14:25 +0000 UTCBy Shannon Morse, ThreatWire
I previously mentioned via ThreatWire that the Spring Framework in Java has a recently discovered vulnerability which is being called Spring4Shell. To break this down, the Spring Framework is commonly used as a lightweight open source framework. The flaw itself exists in the JDK version 9.0 and upwards, but only if the system it’s installed on is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or earlier.
If these specific versions are installed and the vulnerability exploited, an attacker could remotely change the contents of a web server or an application. Spring4Shell is built into a lot of products, so for example, Microsoft warned that it could be exploited via their Azure cloud services. VMWare warned that this also affects their Tanzu services, which are used in container software and VMs.
In Microsoft’s case, a lot of variables have to be in place in order for an attacker to take advantage of the vulnerability and the Spring Framework has to be installed in a specific way in order to be vulnerable. For example, the proof of concept exploit could be used via a Tomcat server through the logging module. Since this is a remote code execution attack, an attacker could craft malicious queries to a server running the vulnerable framework to create web shells in the root directory. But the app must be packaged within a standalone Tomcat instance as a Java web archive, but Spring Boot is often deployed as an embedded container or reactive web server and those aren’t impacted by the vulnerability.
The vulnerability is tracked as CVE-2022-22965 and so far Microsoft confirmed that they’ve only seen a “low volume of exploit attempts”. If successful, the flaw could give an attacker access to a web shell allowing them to execute commands remotely. Other researchers have noted that attacks are occurring with more frequency. For example, Check Point researchers have seen 16% of vulnerable organizations already targeted, and about 37,000 attempts in the last week. Software vendors are most impacted, with about 28% of the total attacks targeting these types of industries.
As of Friday, we also learned that the Mirai malware is being distributed via this exploit, meaning that infected devices could then be used for botnet style DDoS attacks.
Due to the rising stats showing multiple devices and companies being vulnerable to this issue, CISA posted a bulletin encouraging administrators to apply updates immediately to combat the flaw. In order to protect against Spring4Shell, admins should patch to Spring Framework version 5.3.18 and 5.2.2, and Spring Boot 2.5.12.
LINKS:
