Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 
Research

Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965

Alex-Zaslavsky
By Alex Zaslavsky
Was Sr. Product Manager at CyCognito
April 6, 2022

What is the SpringShell?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.”

The critical severity flaw was assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed “SpringShell”.

The Spring framework provides a comprehensive set of extensions and third-party libraries that let developers build applications.  The Spring Framework is described as the “most widely used lightweight open-source framework for Java.”

How is the vulnerability exposed?

The Spring4Shell or SpringShell vulnerability affects Spring MVC, and Spring WebFlux applications running Java Development Kit (JDK) version 9 and higher, and Apache Tomcat version 9 and higher may be vulnerable to remote code execution (RCE) through data-binding. The application can run Tomcat as a WAR deployment. Applications deployed as a Spring Boot executable jar are not vulnerable.

Impact

Proof of Concepts exists suggesting that the vulnerability is exploitable and high risk.

Impacted systems have the following traits: 

  • Running JDK 9.0 or later.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; 
  • Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • Tomcat has spring-web MVC or spring-webflux dependencies.
  • Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.

Also please note that there is a specific configuration (not default)  needed for this vulnerability to be exploited.

Detection and Validation

It is possible to detect exposed Spring Boot servers instances using a favicon hash.

An easy and safe method exists for the identified Spring Boot instances to validate if the instance is exploitable using a simple HTTP request.

More information is available here.

Another detection option is the Nueculi Community Vulnerability Scanner which has a template for detecting the vulnerability, and the template can be found here

CyCognito platform automates the discovery of Spring Boot servers and validates if they are exploitable.

What can CyCognito customers do?

  • To receive a list of assets in your environment that may be affected, contact CyCognito’s Customer Success Team
  • Head to the Advisories dashboard and load the SpringShell advisory.

Stay tuned! CyCognito will continue updating you as more news about this vulnerability unfolds.


Topics



Search the Blog



Recent Posts




Tim Matthews
How to Budget for EASM
By Tim Matthews
November 18, 2024




Top Tags



CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

O'Reilly Report

Moving from Vulnerability Management to Exposure Management

Moving from Vulnerability Management to Exposure Management

Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.