Warning about exploiting 0-day vulnerability in Spring Framework (Spring4Shell)

On 31 March 2021, the National Cyber Security Centre SK-CERT warned of a 0-day vulnerability in the Spring Framework, which is used to develop applications in Java. Since this is a widely used framework and there have been cases of exploiting this 0-day vulnerability, we are supplementing the previous warning with this article.

What is Spring Framework

Spring is an environment that makes it easy to develop applications in Java. Two of its core principles are control-flow inversion and dependency injection – features that allow to improve the modularity of programs and better decouple individual components in large software, but also to automate and hide “boring repetitive tasks” that previously had to be explicitly programmed.

In the words of the creators themselves, “Spring is everywhere. Spring’s flexible libraries are trusted by developers around the world. Spring creates joyful experiences for millions of end users every day – whether it’s a TV stream, online shopping, or countless other innovative solutions. All the big names in the tech world contribute to Spring, including Alibaba, Amazon, Google, Microsoft and more.” (Source: https://spring.io/why-spring).

Other packages depend on the core Spring Framework, including, for example, the Spring Boot package or the Apache Tomcat application server. If the base package is in a vulnerable version, all other libraries and applications built on top of it are also vulnerable.

The nature of the vulnerability

The critical vulnerability, designated CVE-2022-22965 (CVSS score 9.8) as Spring4Shell, along with a less severe vulnerability, designated CVE-2022-22963, allow remote code execution (RCE) due to inadequate implementation of security mechanisms.

The vulnerability exploits the “DataBinder” functionality. This is used in web applications to automatically load values from a web request into variables in a Java application. Instead of the programmer having to retrieve the form fields one by one from the web request, convert them from text to numbers, for example, and manually insert them into the variables, the framework takes care of this itself.

However, if the user passes specially crafted content to this function instead of the usual values from the web form, it may cause some of the existing functions (e.g. WebAppClassLoader in Apache Tomcat) to be called automatically at the time of conversion. With the right parameters, these functions can be exploited to gain full access to the runtime environment where the java application is running.

Thus, in the simplest case, a single specially crafted web request is all that is needed to exploit a vulnerable application.

Measures

In relation to this vulnerability, the National Cyber Security Centre SK-CERT recommends:

  • Check if you are using applications based on the Spring framework using one of the following methods
    • Check the existence and vulnerability of the software against the list https://github.com/NCSC-NL/spring4shell/tree/main/software, which is maintained by the Dutch National Cyber Security Centre in cooperation with the global security community.
    • Query the vendors of the products and services you use
    • By analysing the source code of your own applications
    • By checking for the presence of the org.springframework string or files with this string in the name, either directly on the file system or in files compressed into jar packages
  • Update applications to use the Spring framework in the recommended versions
  • If applications cannot be updated, apply at least a temporary solution
  • After applying the solution, it is essential to scan the system for signs of compromise. It is important to note that a successful compromise may not show up in the application logs of the vulnerable application. After checking for signs of compromise, we recommend changing passwords, encryption keys and certificates on affected devices as a precaution.
  • In the event that this (or any other) vulnerability is successfully exploited, please contact the National Cyber Security Centre SK-CERT at [email protected].

Temporary solution (in source code)

If it is not possible to update the application to use the latest version of the framework, it is possible to use the DataBinder property of the class to filter the input data. For example, add a filter to the source code in the following way:

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.WebDataBinder;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.InitBinder;

@ControllerAdvice

@Order(10000)

public class BinderControllerAdvice {

@InitBinder

public void setAllowedFields(WebDataBinder dataBinder) {

      String[] denylist = new String[]{“class.*”, “class.*”, “*.class.*”, “*.class.*”};

      dataBinder.setDisallowedFields(denylist);

}

}

This does not replace the full workaround by updating the framework, and may lead to other unexpected problems (if you use the class keyword in your forms).

Temporary solution (IDS/IPS/WAF)

For temporary mitigation, we recommend on WAF, to implement filtering rules for strings like “class.*”, “class.*”, “*.class.*” and “*.class.*” in user-supplied values.

This does not replace a full-fledged workaround by updating the framework and may lead to unexpected problems or false positive detections.

Sources:

https://github.com/NCSC-NL/spring4shell/

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/


« Späť na zoznam
Current threats
all publications
Links