Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965

What is the SpringShell?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.”

The critical severity flaw was assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed “SpringShell”.

The Spring framework provides a comprehensive set of extensions and third-party libraries that let developers build applications.  The Spring Framework is described as the “most widely used lightweight open-source framework for Java.”

How is the vulnerability exposed?

The Spring4Shell or SpringShell vulnerability affects Spring MVC, and Spring WebFlux applications running Java Development Kit (JDK) version 9 and higher, and Apache Tomcat version 9 and higher may be vulnerable to remote code execution (RCE) through data-binding. The application can run Tomcat as a WAR deployment. Applications deployed as a Spring Boot executable jar are not vulnerable.

Impact

Proof of Concepts exists suggesting that the vulnerability is exploitable and high risk.

Impacted systems have the following traits: 

• Running JDK 9.0 or later.
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
• Apache Tomcat as the Servlet container
• Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; 
• Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
• Tomcat has spring-web MVC or spring-webflux dependencies.
• Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.

Also please note that there is a specific configuration (not default)  needed for this vulnerability to be exploited.

Detection and Validation

It is possible to detect exposed Spring Boot servers instances using a favicon hash.

An easy and safe method exists for the identified Spring Boot instances to validate if the instance is exploitable using a simple HTTP request.

More information is available here.

Another detection option is the Nueculi Community Vulnerability Scanner which has a template for detecting the vulnerability, and the template can be found here. 

CyCognito platform automates the discovery of Spring Boot servers and validates if they are exploitable.

What can CyCognito customers do?

• To receive a list of assets in your environment that may be affected, contact CyCognito’s Customer Success Team
• Head to the Advisories dashboard and load the SpringShell advisory.

Stay tuned! CyCognito will continue updating you as more news about this vulnerability unfolds.