A new zero-day remote code execution (RCE) vulnerability in the Spring Java Framework draws comparisons to Log4Shell, due to its widespread presence in Java applications and the relative ease with which it can be exploited.
As was the case with Log4Shell, the vulnerability can be mitigated by updating the Spring Java Framework to a newer version. However, this may be easier said than done due to its presence in a variety of Java applications.
Spring Java Framework vulnerability can be exploited without user interaction
Spring Java Framework is part of JDK9+, and the RCE vulnerability can be exploited by simply sending a specially crafted HTTP request to a target system. Updating the Spring Java Framework ends that zero-day, but as with Log4Shell, it’s not necessarily the easiest task because there’s no central way to push the update to all instances in nature. Older and unsupported versions of Spring Java Framework may not be able to upgrade, in which case the developers suggest upgrading to Apache Tomcat or downgrading to Java 8 if that cannot be done.
There is no word yet that threat actors have discovered the RCE vulnerability; it was discovered by security researchers, and Spring Java Framework VMWare says they hadn’t seen any zero-day chatter about it before disclosing it. It was leaked due to potential severity and patch availability, after a Chinese security researcher leaked it to the web for several hours and other researchers were able to reverse engineer what they posted . As with Log4Shell, it will be up to individual IT teams to be diligent in locating instances and applying updates to their networks.
While the RCE vulnerability can be exploited without user interaction via an HTTP POST request, this approach apparently only works with certain configurations. Other configurations require the attacker to do additional research on the target system and tailor the payload appropriately. Zero-day exploitation appears to require an endpoint with DataBinder enabled and can potentially be thwarted by the application’s servlet container.
While some call it “Spring4Shell” because of the similarities, this particular Zero Day is more difficult to achieve reliably due to a longer list of special circumstances and things that need to be in place. However, unpatched target systems that meet these criteria can be relatively easily compromised, and attackers can create scripts to scan the internet for vulnerable systems, leading to debate over whether the CVSS score is high enough.
As John Bambenek, Principal Threat Hunter at Netenrich, notes: “With a PoC for this vulnerability out in the open…it could be bad. What has made Log4j such a problem is that it is often installed on appliances and other “headless” devices that are not maintained by the end customer. It’s unclear how true this will be for Spring, but any RCE issues should go straight to the top of the pile for security teams to address.
Zero-day RCE Vulnerability Allows Attackers Full Access
The problem is also serious because an attacker who successfully exploited the RCE vulnerability would have full remote access to the target system, able to execute commands and potentially deploy ransomware or exfiltrate documents and emails.
Besides not being able to decide whether to call it “SpringShell” or “Spring4Shell”, security researchers were initially unsure if it was actually zero day, as it seemed that it might be related to previous known issues with Spring. Java framework. However, the RCE vulnerability was ultimately determined to be something entirely new, and it was tagged with the identifier CVE-2022-22965.
Attempts to exploit had yet to be seen in the wild as of late March, but are almost certainly coming as cybercriminals seek out unpatched systems. It doesn’t appear to have the raw system count that Log4Shell does (due to the narrower list of additional requirements for it to be exploitable), but it is nonetheless a critical and “instant” RCE vulnerability and could cause just as much damage to those compromised by it. Estimates put the number of Spring Java Framework developers in the millions, and it could be used in 74% of Java applications.
Cybersecurity firm Flashpoint has analyzed day zero and claims that while it has strong surface similarities to Log4Shell, it is not the “second coming” of this devastating vulnerability and is not comparable on a “level Deeper”. Flashpoint believes that most exploitable instances in the wild will require a certain amount of investigation and a higher level of skill from attackers, giving security teams more warning time and opportunity. Also, while the Spring Java Framework may affect nearly three-quarters of Java applications, the actual list of applications that meet all the requirements to be exploitable is likely much smaller than that. In contrast, the vast majority of organizations were thought to have hidden Log4Shell openings somewhere or another in their environment.
Jonathan Knudsen, senior software strategist for Synopsys Software Integrity Group, also notes that there is a separate Spring-related vulnerability that should not be confused with “Spring4Shell”.
“The internet is buzzing with talk about two separate vulnerabilities related to different Spring projects. The two are unrelated, but were confused because both vulnerabilities were disclosed almost at the same time,” says Knudsen.
“The first is CVE-2022-22963, tracked in the Black Duck Knowledgebase as BDSA-2022-0850. This is a remote code execution vulnerability in Spring Cloud Function. Issued with a medium severity by vendor, researchers have since discovered that it is possible to execute code remotely.An upgrade patch already exists, so affected users are advised to upgrade as soon as possible.
“However Spring4Shell evolves, these two vulnerabilities underscore the importance of knowing what open source components you are using and keeping up to date with vulnerabilities as they are disclosed.”