PingSafe is now SentinelOne's Singularity™ Cloud Native Security. Website sunsets on 4th June.

Learn More

Vulnerability Management

Spring4Shell Vulnerability (CVE-2022-22965): Protect Your Spring Based Applications

Learn how you can protect your Spring based applications from Spring4Shell Vulnerability.

Shubham Gupta

Written by Shubham Gupta

April 15, 2022 | 2 min read

On the 30th of March, 2022, a new zero-day CVE was discovered, named CVE-2022-22965, in applications that run on Tomcat as a WAR deployment having Spring MVC or Spring WebFlux running on JDK 9+. Such applications may be vulnerable to remote code execution (RCE) via data binding. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. The vulnerability is remotely exploitable without authentication, i.e., it can be exploited over a network without a username and password.

Below are the prerequisites to exploit this vulnerability:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Due to the severity of this vulnerability, PingSafe strongly recommends that customers apply the updates and upgrade the Spring 5.3.x versions to 5.3.18+ and 5.2.x versions to 5.2.20+.

About the vulnerability

Spring MVC and WebFlux are Java frameworks used to build web applications. It follows the Model-View-Controller design pattern. In addition, it implements all the basic features of a core spring framework, like Inversion of Control and Dependency Injection.

For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, allowing an attacker to call getters and setters to write a malicious JSP file to disk. The attacker will invoke any server endpoint with a malicious payload and write a malicious JSP file to the disk. The exploit lets an attacker execute malicious JSP code on the vulnerable server. 

Additionally, the vulnerability can be exploited to allow unauthorized remote code execution on the affected servers. Hackers are still utilizing the recently discovered exploit to attack the servers. 

Affected systems

Various applications and cloud services using Spring MVC and WebFlux frameworks are under the radar of this attack. However, security researchers have already discovered that the CVE-2022-22965 vulnerability can be exploited on the servers of large companies. 

It is highly recommended to upgrade the Spring 5.3.x to 5.3.18+ and 5.2.x to 5.2.20+.

The following versions of Spring Framework are impacted:

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected.

Visit the PingSafe dashboard under Host Misconfigurations to determine if your servers are secure. It is highly recommended to upgrade the Spring 5.3.x to 5.3.18+ and 5.2.x to 5.2.20+.

‍PingSafe Dashboard

Spring4Shell-2022-22965

Steps for remediation

The latest version of Spring Framework has been released on the Official website. You can download it and upgrade your service to use the newest version.

How can PingSafe help?‍

PingSafe can detect this CVE-2022-22965 vulnerability on your infrastructure without an agent. Request a free personalized demo to see how PingSafe protects your cloud infrastructure from this vulnerability and new zero-day vulnerabilities.

References

NVD – CVE-2022-22965