CVE-2022-22965: Spring framework 0-day remote code execution vulnerability

Spring officially released a security bulletin, disclosing that there is a remote code execution (RCE) (CVE-2022-22965) in a specific version of the Spring framework. An unauthenticated attacker sends a simple HTTP POST to a vulnerable app to execute commands on the server. This Spring RCE vulnerability is now dubbed Spring4Shell. This flaw was found by codeplutos, meizjm3i of AntGroup FG Security Lab. Spring4Shell occurs due to SerializationUtils#deserialize is based on Java’s serialization mechanism which can be the source of Remote Code Execution vulnerabilities. At present, the vulnerability of POC has been disclosed, and the risk is critical.

The Spring Framework is an application framework and inversion of the control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform.

Praetorian explained in a blog post.

Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application. For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk. However, if Spring is deployed using the Embedded Tomcat Servlet Container the classloader is a LaunchedURLClassLoader which has limited access. In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted POST request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.

Will Dormann, a vulnerability analyst at CERT/CC, said that:

Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock “Handling Form Submission” sample code from spring.io If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE…

Vulnerability detail

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Affected version

  • Spring Framework
    • 5.3.0 to 5.3.17
    • 5.2.0 to 5.2.19
    • Older, unsupported versions are also affected

Unaffected version

  • Spring Framework
    • 5.3.18+
    • 5.2.20+

Solution

At present, Spring released a new version to fix the CVE-2022-22965 flaw, and affected users are advised to update the Spring framework to the unaffected version.

How to find instances of Spring vulnerable to CVE-2022-22965 (“SpringShell”) in installations of Java software such as web applications. 

Developer hillu has published a project that helps users to scan for applications containing vulnerable Spring libraries.

The scan tool currently checks for known build artifacts that have been obtained through Maven Central. You can download it here.