QUALYS, INC. A new zero-day Remote Code Execution (RCE) vulnerability, "Spring4Shell" or "SpringShell" is found in the Spring framework. An unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device.
What is Spring Framework?spring-core is a prevalent framework widely used in Java applications that allows software developers to develop Java applications with enterprise-level components effortlessly.
Which versions are vulnerable?The vulnerability requires JDK version 9 or later to be running. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are vulnerable. It allows remote attackers to plant a web shell when running Spring framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access.
How can this be exploited?The exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. This property could enable an attacker to leverage Spring4Shell against a vulnerable application. In fact, the Spring framework class DataBinder warns about this in documentation:
"Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data, for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases, this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder."
What are the prerequisites to exploit this vulnerability?- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
As of 30th March, the vulnerability did not have a patch or a CVE assigned to it. However, here are a few temporary fixes recommended for vulnerability mitigations/removal.
Also, there are multiple working proof-of-concept (PoC) exploits available for Spring4Shell. We strongly recommend that organizations deploy these mitigations or use a third-party firewall for defense.
Qualys CoverageThe Qualys Research Team has released the following authenticated QIDs to address this vulnerability for now. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.438-3 and in Cloud Agent manifest version LX_MANIFEST-2.5.438.3-2.
| QID | Title | Version | Available for |
| 376506 | Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) | VULNSIGS-2.5.438-3 | Scanner/Cloud Agent |
| 45525 | Spring core or Spring beans jar detected | VULNSIGS-2.5.438-3 | Scanner/Cloud Agent |
| 730416 | Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) (Unauthenticated Check) | VULNSIGS-2.5.440-2 | Scanner |
There is some confusion about this zero-day vulnerability due to another unrelated Spring vulnerability (CVE-2022-22963) published yesterday (March 29, 2022). This vulnerability, CVE-2022-22963, impacts Spring Cloud Function, which is not in Spring Framework.
What is the detection logic for QID 376506: Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)?QID 376506 is an authenticated check currently supported on Linux Operating Systems. The QID uses the locate command and files loaded by a process (/proc/*/fd) to find spring-core and spring-beans files on the host. Additionally, the QID checks for Java version 9 or later installed on the host.
Under what situations would QID 376506 not detect the vulnerability?QID 376506 might not be detected if access to /proc/*/fd is restricted or if the spring-core or spring-beans file is embedded inside other binaries, such as jar, war, etc.
Also, this QID might not be detected if the locate command is not available on the target. Targets on Java versions less than 9 are not vulnerable.
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Qualys Inc. published this content on 31 March 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 31 March 2022 17:45:02 UTC.
