A new zero day vulnerability, assigned CVE-2022-22965 by Spring’s parent company VMware, was recently brought to light by many technical blogs. This new vulnerability is commonly being called “Spring4Shell” in reference to last year’s serious Log4Shell vulnerability, which even now hackers continue to weaponize on VMware servers.
According to release information from Spring, Spring MVC and WebFlux applications running on Java Development Kit 9 and above contain this vulnerability. Attackers take advantage of this vulnerability to achieve remote code execution (RCE) by sending a specially crafted request to a victim server. Spring has shared detailed workarounds in their blog that can be used temporarily until an upgrade is possible.
TXOne Networks Protection Recommendations
This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older are impacted. The solution is to upgrade the Spring Framework to 5.3.18 and 5.2.20. In addition to the vendor patch(es) that should be applied, TXOne Networks has released an out-of-cycle (OoC) rule set on March 31, 2022 for use with the network defense solution Edge series. These OoC rules can be treated as a virtual patch if you cannot upgrade your Spring Framework immediately. The OoC rules can detect the vulnerability exploit/POC we have collected. The OoC rule sets are ready to be downloaded from TXOne’s cloud.
OoC Release Rule Sets:
TM_IPSP_220331_16 for EdgeIPS Pro
TM_220331_15 for EdgeIPS/EdgeFire
TM_IPSLE_220331_16 for EdgeIPS LE
1. Critical Vulnerability in Spring Cloud (CVE-2022-22963)
– 1230875 WEB Spring Cloud SpEL RCE (CVE-2022-22963)
2. Critical Vulnerability in Spring Core (When the rules are released, the CVE identifier has not been assigned yet)
– 1230879 WEB Spring Core RCE -1 (CVE-2022-22965)
– 1230887 WEB Spring Core RCE -2 (CVE-2022-22965)
– 1230888 WEB Spring Core RCE -3 (CVE-2022-22965)