Spring4Shell: Zero-Day vulnerability CVE-2022-22965 in Spring Framework

A Zero-day Remote Code Execution Vulnerability with critical severity has been identified as CVE-2022-22965 aka Spring4Shell or SpringShell in Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 & older.

The Spring Framework is an open-source, popular, feature-rich application framework used for building modern & enterprise Java web applications. Publicly available exploits in this widely used framework make it very dangerous.

Why is CVE-2022-22965 “Spring4Shell” vulnerability so dangerous?

Invulnerable Spring Framework, SpringMVC, or Spring WebFlux applications running on JDK 9 or higher are prone to remote code execution via Data Binding. The vulnerability is due to the improper handling of the Java class properties, which leverages class injection. At the same time, the HTTP input binding and a specially crafted HTTP request could lead to a remote code execution attack and compromise the spring Java application without requiring authentication.

According to vendor advisory, “If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”

Affected Software and Versions

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
• Spring-webmvc or Spring-webflux dependency
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Mitigation of “Spring4Shell”

• Immediately update to Spring Framework 5.3.18 and 5.2.20 or higher version.
• Please refer to our Vendor Advisory.
• Update the Network security solutions and endpoints with the latest definitions.

A CVE-2022-22963, a Remote code execution vulnerability, is also identified in Spring Cloud Function versions 3.1.6, 3.2.2, and older routing functionality. Hackers can exploit this by sending crafted SpEL routing expressions that could result in remote code execution. The affected versions should upgrade to 3.1.7 and 3.2.3.

Seqrite coverage for “Spring4Shell.”

We have released IPS rules to identify and block remote attacks exploiting Spring4Shell & other vulnerabilities. We’ll continue monitoring the developments around this threat and update our detections. We advise our customers to patch their systems on time and keep the anti-virus software updated with the latest VDB updates.