Microsoft and CISA have warned of ‘Spring4Shell’ exploitation in the wild.
As previously reported by The Daily Swig, in the past week, Spring Framework developers have released patches tackling CVE-2022-22963, a code injection vulnerability in Spring Cloud Function, and the even more dangerous CVE-2022-22965, which has since acquired the name ‘Spring4Shell’, or ‘SpringShell’.
The latter of the two bugs is the leading cause for concern among enterprises. Spring4Shell is a critical vulnerability in VMWare’s open source Spring Framework’s Java-based Core module (JDK 9+) and, if exploited, can be used to achieve remote code execution (RCE).
Spring4Shell is based on a legacy bug tracked as CVE-2010-1622 and patched in 2010. JDK 9+ has two sandbox restriction methods, unlike previous versions that included one – and this change in coding has created a bypass for the old bug to resurface.
Exploit code has been published online.
Reverse shell
On April 4, the Microsoft 365 Defender Threat Intelligence Team said that attackers could trigger this flaw by sending maliciously crafted queries to an Apache Tomcat web server running a vulnerable version of Spring Core.
Microsoft has tracked a “low volume” of exploit attempts across its cloud services using Spring4Shell, with many attempts aligned with the basic web shell proof-of-concept (PoC) code available online.
“The PoC sets the contents to be a JSP web shell and the path inside the Tomcat’s web application ROOT directory, which essentially drops a reverse shell inside Tomcat,” Microsoft says.
“For the web application to be vulnerable, it needs to use Spring’s request mapping feature, with the handler function receiving a Java object as a parameter.”
CISA alert
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert on April 1 warning of both the Spring4Shell and Spring Cloud Function vulnerabilities.
Alongside VMware, the agency urges administrators to apply fixes to resolve these issues urgently.
The CERT Coordination Center has provided a vendor impact list. It appears that software utilizing Spring offered by organizations including Blueriq, Cisco, Jamf, PTC, Atlassian’s ACSB, and Red Hat are affected.
Companies including F5 and Fortinet are investigating the issue and any potential customer impact.
Advisories have also been released for VMWare products utilizing the Spring framework and, therefore, vulnerable to CVE-2022-22965: VMware Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition (TKGI).
Patches have been developed and released in Spring Framework versions 5.3.18 and 5.2.20. In addition, the project has also pushed fixes in Spring Boot 2.6.6 and Spring Boot 2.5.12.
Spring has released an ‘Am I affected?’ guide alongside workarounds if immediate patching is not possible.