In late March 2022, open-source reporting indicated that threat actors have been targeting a critical vulnerability in Spring applications. We recommend following the mitigation steps below and immediately updating all vulnerable versions of these Spring products.
On 31 March 2022, Spring released an update to fix a critical vulnerability in the Spring Core Java framework. The vulnerability is tracked as CVE-2022-22965 and is known as “SpringShell” or “Spring4Shell”. It is rated with a maximum Base CVSS Score of 10 and affects Spring MVC and Spring WebFlux applications running on Java 9 or greater. The flaw is however only exploitable under specific conditions.
Spring is both a framework and a library. Depending on how it is used, exploitation may require prior authentication to the application. In some non-default configurations of the Spring applications, a threat actor could obtain Remote Code Execution (RCE) by sending a specially crafted request to a vulnerable system. According to 31 March information, for a system to be vulnerable it must be internet-facing and meet the following conditions:
- Use Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Use Java Development Kit (JDK) version 9 or higher
- Run Apache Tomcat as the Servlet container that is packaged as a traditional Web Archive (WAR) (versus a Spring Boot executable jar)
- Have a dependency on Spring Web MVC or Spring WebFlux
Late March 2022 reporting indicates that the application is not vulnerable if it is deployed in the default configuration, such as a Spring Boot executable jar. Researchers have published proof-of-concept code for exploiting this vulnerability, and reports have emerged that threat actors are scanning the internet to locate vulnerable hosts.
Field Effect Posture
Field Effect has completed an internal review and its products are not vulnerable to this issue. As the situation evolves, Covalence will continue to alert you to the presence of potentially impacted software in your environment. Our teams are working on applying the latest indicators of compromise and detecting any exploitation attempts to ensure our clients and partners are protected from this threat.
We strongly advise that you review the list of conditions provided above to determine if your systems are vulnerable.
We recommend following Spring’s advice and immediately updating the affected software to the latest release.
If you are unable to apply the updates immediately, follow Spring’s Mitigation Alternative advice.
We also recommend monitoring Field Effect Security Intelligence blog updates for any developments regarding the vulnerability.