Posted: 3 Min ReadThreat Intelligence

Spring4Shell: New Zero-day RCE Vulnerability Uncovered in Java Framework

Symantec products will protect against attempted exploits of Spring4Shell vulnerability.

UPDATE, April 1, 2022: Updated with additional protection information

A zero-day vulnerability in the Spring Core Java framework that could allow for unauthenticated remote code execution (RCE) on vulnerable applications was publicly disclosed on March 30, before a patch was released. It was dubbed Spring4Shell.

Will Symantec products protect against exploit attempts?

Yes, Symantec products will guard against exploit attempts with the following detections:

Network-based

  • Audit: Spring Core Spring4Shell Activity
  • Web Attack: Spring Core Spring4Shell Activity 2

File-based

  • Hacktool
  • Hacktool.Spring4shell

Policy-based

Data Center Security (DCS) Intrusion Prevention (with default policies) provides zero-day protection against exploitation of the Spring4Shell vulnerability.

Is a patch available for Spring4Shell?

Spring has now released Spring Framework 5.3.18 and 5.2.20, which it says address the vulnerability. Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have also been released. Temporary remediation steps were also published by researchers at Praetorian prior to the updates being released. Spring also published suggested workarounds in its blog.

A CVE report for the vulnerability was also published this afternoon and given the designation CVE-2022-22965, and assessed as being “high severity.”

How serious is this vulnerability?

There appears to have been confusion about the potential severity of Spring4Shell. While it was initially reported that all versions of Spring Core with the JDK version greater than or equal to 9.0 were vulnerable to it, researchers subsequently determined that it appears Spring Core must be configured in a certain way to be vulnerable.   

In its vulnerability report, Spring itself stated that for the “specific exploit” to work, an application must meet the following prerequisites:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

“If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit,” the advisory reads. However, it did also say that “the nature of the vulnerability is more general, and there may be other ways to exploit it.”

Given these prerequisites, it’s not clear how many instances of the Spring Core Java framework may be vulnerable to this bug.

Is Spring4Shell being actively exploited in the wild?

Proof-of-concept exploit code for Spring4Shell was leaked on GitHub shortly after it was discovered and before a patch was issued. The code was swiftly removed, but not before it was downloaded by several security researchers who confirmed the vulnerability. It was also reposted on various platforms, meaning it was available to the public, including malicious actors. It has been reported that Spring4Shell was being actively exploited in attacks.

What is Spring4Shell?

Spring4Shell is a bug in Spring Core, a popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.

The bug allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

In a blog published on Thursday (March 31), Spring revealed that the Spring4Shell bug was reported to VMware (which owns Spring) by researchers from AntGroup FG on Tuesday, with the team intending to release emergency patches for the bug on Thursday, but details of the bug were leaked online on Wednesday.

Is Spring4Shell related to CVE-2022-22963?

No, CVE-2022-22963 is a different bug in the Spring Cloud Function, which is a separate Java library from Spring Core. An advisory for this bug was published on March 29 and patches are available for it.

Is this new bug as serious as Log4Shell?

While the naming of the vulnerability appears to have been inspired by the Log4Shell vulnerability that was discovered in December 2021, it is not clear if the impact of this bug will be as significant.

We will update this blog with any new relevant information as we get it.

Protection

For the latest protection updates, please visit the Symantec Protection Bulletin.

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.