A new vulnerability, deemed SpringShell, was identified on Tuesday, March 29th, 2022. This vulnerability is still in its infancy, and there has only just been a CVE published for the SpringShell vulnerability (CVE-2022-22965).
There is great concern regarding SpringShell as it has been said that the ramifications could be much worse than that of the recent Log4Shell (CVE-2021-44228), which occurred in December of 2021. The exploitation of this vulnerability occurs when malicious actors execute remote code against specific targets. Malicious actors would then have possessed the ability to establish a reverse shell to gain persistence, exfiltrate data by obtaining access to sensitive information, passwords, and other credentials, and even alter configurations if the application is running as root.
According to a blog entry from Spring, which is an organization owned by VMWare that makes Java framework much easier and more productive in use and is directly impacted, SpringShell impacts the Spring MVC and Spring WebFlux applications running on Java Development Kit (JDK) 9+. The entry further notes that the exploit itself requires the application to run on Tomcat as a WAR deployment. Should the application be deployed as a Spring Boot executable jar, then there is likely no vulnerability; however, SpringShell is noted to be more general, thus leading to other ways of exploitation. Malicious actors can exploit remote code execution to exploit the Spring Core on JDK 9+.
According to a blog entry from Praetorian, in certain configurations, an attacker can send a crafted HTTP request to a vulnerable system and, as an unauthenticated attacker, execute arbitrary code on the target system. Praetorian goes on to further explain that exploitation requires an endpoint with DataBinder enabled and depends heavily on the servlet container for the application. Further prerequisites that are needed for exploitation, including the previously mentioned JDK 9+ and WAR package, are a spring-webmvc or spring-webflux dependency. Certain VMware products and versions are also affected by SpringShell, which include the Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and any older unsupported versions. Aside from VMware products and versions being affected, Zenoss Cloud, Kubernetes, and any other application that uses Spring's framework development are likely to be affected.
This vulnerability can be tested via the exp.py, and a technical explanation for reproduction can be found here (GitHub - SpringCore0Day). As of now, there is a patch available for SpringShell, which can be found on Spring-Project's GitHub (Spring-Projects · GitHub). It is highly recommended that any versions close to out of date be updated and that this patch be applied as soon as possible to ensure that there is no chance of exploiting SpringShell. For instructions on updating versions and patching any systems, please see the blog at Spring Framework RCE Information and Remediation.
Additional resources are located at:
VentureBeat - Don't ignore Spring4Shell.
Spring - Spring Framework RCE Information and Remediation
VMware - CVE-2022-22965
Spring GitHub - Technical Repository for the Patch
Craig GitHub - Technical Explanation and Code to Exploit/Test the Vulnerability
POC Test Tool to determine vulnerability - jfrog - GitHub
