RCE Spring Framework Zero-Day vulnerability “Spring4Shell”

Threat Advisories

RCE Spring Framework Zero-Day vulnerability “Spring4Shell”

THREAT LEVEL: Red

For a detailed advisory, download the pdf file here

A zero-day vulnerability has been discovered in the Spring framework, a Java framework that provides infrastructure support for web application development. This vulnerability came to light after a Chinese researcher made a GitHub commit that was quickly erased. The vulnerability remained unassigned for over 24 hours before being assigned an official identifier CVE-2022-22965.

The remote code execution bug affects Spring MVC and Spring WebFlux apps running on JDK 9+. By sending a carefully crafted request to a susceptible server, an attacker could exploit Spring4Shell. The publicly available exploit, on the other hand, requires the software to run as a WAR deployment on Tomcat. If the software is deployed as a Spring Boot executable jar, which is the default, it is not vulnerable to this vulnerability. However, the nature of the vulnerability is wide, and there may be many more ways to exploit it.

An active exploitation of Spring4Shell has been observed, an attacker is able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region. The Mirai sample is downloaded to the “/tmp” folder and executed after permissions are changed to make them executable using “chmod”

Organizations using Spring Framework with version 5.3.x should upgrade to 5.3.18+ and version 5.2.x should upgrade to 5.2.20+.

Potential MITRE ATT&CK TTPs are:

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.006: Obtain Capabilities: Vulnerabilities

TA0002: Execution

T1203: Exploitation for Client Execution

Vulnerability Details

RCE-Spring-Framework-Zero-Day-vulnerability-Spring4Shell

Indicators of Compromise (IoCs)

Patch Links

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

https://tanzu.vmware.com/security/cve-2022-22965

References

https://www.praetorian.com/blog/spring-core-jdk9-rce/

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/

https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html