Alert Logic is researching a zero-day vulnerability discovered in the Java Spring framework (CVE-2022-22965) – dubbed Spring4Shell and SpringShell. This vulnerability has generated confusion and concern since it was first announced; however, the requirements for successful exploitation have been clarified and are now understood to require a more specific scenario to exist, detailed below, which reduces the scope of impact for this vulnerability. Spring has released patches for mitigation of this threat, and we recommend you apply these patches as soon as possible.
Based on the level of visibility related to this vulnerability, Alert Logic is treating this vulnerability as an Emerging Threat to prioritize threat research and detection development. The Alert Logic web application firewall (WAF) can detect and block exploit attempts based on existing signatures, and network detection capabilities currently exist.
Note: Initially, there was confusion around whether the Spring4Shell vulnerability was related to recently announced CVE-2022-22963. CVE-2022-22963 is not related to this vulnerability and is not considered an Emerging Threat; however, Alert Logic has released detection and is monitoring CVE-2022-22963.
Alert Logic infrastructure is not affected by this vulnerability.
Who is affected?
According to Spring, this vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. Additionally, the application must be run on Tomcat as a WAR deployment for this specific exploit.
Per Spring’s investigation, the requirements for exploitation are:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
While this is the reported vulnerable scenario, there may be other ways to exploit this vulnerability that have not been reported yet. For more information about Spring's investigations, refer to Spring’s announcement.
In this scenario, the Java Spring framework could allow developers to write an application in a way that leaves it vulnerable to an unauthenticated remote code execution (RCE) vulnerability. By sending a series of HTTP requests to a vulnerable webserver, an attacker could write arbitrary data to a file in the webroot of a vulnerable application. The attacker could then simply make an HTTP request to the victim server, executing the exploit code.
What should I do if I use the Java Spring framework?
Spring Frameworks 5.3.18 and 5.2.20 address this vulnerability and are available on Maven Central. If you are able to upgrade, it is recommended to do so. If you are not able to upgrade, Spring has published workarounds you can apply. For more information about the available workarounds, refer to Spring’s announcement.
What is Alert Logic doing for this vulnerability?
Alert Logic has kicked off the Emerging Threat process for this vulnerability. At this time, a virtual patch has been released for the Alert Logic WAF; exploit attempts can also detected by existing signatures. If the WAF is in Protect mode, exploit attempts will be blocked.
In addition, log telemetry signatures have been released, and IDS and scan coverage are in development. Based on the nature of this vulnerability, scanning can detect the version of the Spring framework rather than the exact scenario in which the vulnerability can be exploited.
This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates on this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.