• Inception Security

Spring4Shell

A critical vulnerability CVE-2022-22965 (Spring4Shell or SpringShell) was found on March 29, 2022, in an open-source Java framework while testing named Spring. This vulnerability allows the attacker to execute arbitrary code on a web server. Spring is a widely used framework, so this vulnerability can be highly lethal. The data binding feature of Spring Framework was used to bind data in an HTTP request to some of the objects being used in an application. The vulnerability existed in the CachedIntrospectionResults module. This vulnerability enabled unauthorized access to the objects by using an HTTP request's class names. Remote code execution and data leakage are significant risks related to this vulnerability.


How can the vulnerability be mitigated?


An emergency patch for Spring Zero-day vulnerability has been announced for Spring versions 5.3.18 and 5.2.20, and vulnerable applications have been identified. The LunaSec, Rapid7, Contrast Security, and SANS ISC have analyzed the exploit and shared the testing resources and mitigation procedures. Apache Tomcat is a widely used platform, so the potential breach had a considerable impact, and organizations started to panic. It was advised to upgrade every Spring-based project to ensure that the Spring framework has been updated to the latest version.


Have we seen Spring4Shell vulnerability being used?


The Spring4Shell vulnerability was found in the Spring framework’s data binding procedure. This module is used to assign function arguments or java objects by taking parameters from HTTP URL or request body.


public class Greeting {
    private long id;
    private String content;
@GetMapping("/endpoint")
public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) {
http://www.myapp.com/endpoint?id=5&content=hello
greeting.getId() == 5
greeting.getContent() == "hello"

There is a security issue in the internal parameters of the build object while assigning request parameters to Java objects. The classLoader and ProtectionDomain are internal parameters, so they should not be controlled externally. A code in Spring denies the external assignment of parameters to these internal attributes.


How can the exploitation be detected?


An application can be checked for Spring4Shell vulnerability using a customized scan template. A report of impact analysis can be developed using Specific Vulnerability dashboard templates. The InsightVM and Nexpose released verified and remote checks for Spring4Shell vulnerability on April 1st, 2022. A simple content update would be enough for vulnerability detection, and there is no need to update the whole application. However, this check may allow false positives. Sping.io advised scheduling updates to current versions to ensure protection from vulnerability. Here are a few steps to detect the vulnerability:


  1. Install scan template

  2. Scan your network using the new scan template

  3. Report on Spring4Shell's impact on your environment


How does Spring4Shell compare to Log4Shell?


Spring4Shell vulnerability can be compared to the Log4Shell vulnerability in the Log4J Java tool and caused many issues when identified in December 2021. However, experts found that Spring4Shell is relatively difficult to exploit, but still, it can be dangerous for enterprises. Turunen said that everyone working on Java must have worked on Spring. But Log4J was not identified by people because it was used as a part of the application. Whereas Spring Framework is a commercial product, developers widely used it. But the exploitation of Sping4Shell requires higher knowledge as compared to Log4J.


Is there POC code in the wild?


On March 30, 2022, a Chinese-speaking researcher published the proof of concept (PoC) exploit code of the Spring Framework vulnerability on GitHub commit. The code was aimed at a zero-day vulnerability in the Spring Core module framework. The vulnerability explained in Proof of Concept allows unauthenticated attackers to generate code attacks on targeted systems that were deleted quickly.


The reason behind it was that the proof-of-concept code was not exploitable with the box Spring installation. The application needed a specific function for exploitation, and the other primary reason was the identification of another vulnerability in the Spring cloud.


We are here to help!


Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.


Contact Inception Security if your company is looking for advisory services.

Recent Posts

See All