New Spring Java Framework Zero-day Allows Remote Code Execution
A new zero-day vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed, allowing unauthenticated remote code execution on applications.
Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.
Yesterday, a new Spring Cloud Function vulnerability tracked as CVE-2022-22963 was disclosed, with Proof-of-Concept exploits soon to follow.
However, information about a more critical Spring Core remote code execution vulnerability was later circulating on the QQ chat service and a Chinese cybersecurity site.
Today, an exploit for this zero-day vulnerability was briefly leaked and then removed but not before cybersecurity researchers could download the code.
Since then, numerous cybersecurity researchers and security firms have confirmed that the vulnerability is valid and of significant concern.
This new Spring RCE vulnerability, now dubbed Spring4Shell, is caused by unsafe deserialization of passed arguments.
While it was initially thought to affect all Spring apps running on Java 9 or greater, it was later determined that there are specific requirements that must be met for a Spring app to be vulnerable.
Will Dormann, a vulnerability analyst at CERT/CC, said that an app must also use “Spring Beans”, use “Spring Parameter Binding”, and a “Spring Parameter Binding must be configured to use a non-basic parameter type, such as POJOs.”
Cybersecurity firm Praetorian also confirmed the bug relies on specific configurations to exploit properly.
“Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” Praetorian explained in a blog post.
“For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk.”
“However, if Spring is deployed using the Embedded Tomcat Servlet Container the classloader is a LaunchedURLClassLoader which has limited access.”
“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted POST request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.”
While the requirements may limit the target size, BleepingComputer has been told by multiple sources that the Spring4Shell vulnerability is being actively exploited in attacks.
Due to the requirements to exploit this bug, it is too soon to tell how many applications are vulnerable.
To ultimately prevent this scenario from coming true, it is strongly advised that admin apply mitigations provided by Praetorian as soon as possible if they believe their apps are vulnerable.
Update 3/30/22 4:45 PM EST: Multiple sources state the vulnerability is actively exploited in attacks.
Update 3/30/22 09:21 PM EST: Added requirements possibly needed for the exploit to work.