CISA adds Spring4Shell to list of exploited vulnerabilities
It’s been almost a week since the Spring4Shell vulnerability (CVE-2022-22965) came to light and since the Spring development team fixed it in new versions of the Spring Framework.
There have been reports of scanning, exploit attempts and attempts to deploy a web shell on vulnerable systems, but it seems that a successful exploitation has yet to be documented.
The consensus amongst the thread and everybody I talk to in private is there are no incidents for this (I know everybody will reply with ‘yet’, but I’m not sure that will apply either – I think Spring4Shell may turn out to be News4Clicks).
— Kevin Beaumont (@GossiTheDog) April 4, 2022
But we might not have all the facts: The US Cybersecurity and Infrastructure Agency (CISA) has added Spring4Shell to their Known Exploited Vulnerabilities Catalog on Monday.
Spring4Shell PoC, fixes and mitigation
Though it could lead to attackers achieving remote code execution capabilities, Spring4Shell is obviously more difficult to exploit than Log4Shell (CVE-2021-44228), and there’s not a glut of different PoCs for it.
The only publicly available PoC exploit works on specific configurations.
“The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it,” Spring developers noted.
As Bob Rudis, Rapid7’s Chief Security Data Scientist pointed out, exploiting Spring4Shell requires attackers to have knowledge about the target environs – knowledge that might come in handy for more effective attacks.
In the meantime, developers of applications using the Spring Framework have been checking whether they are vulnerable and pushing out fixes, offering workarounds and giving out mitigation advice where necessary. A French security professional has been updating an extensive list of companies that have performed these checks and have shared their findings.
Enterprise defenders may also use some of the open-source scanning tools that have been made available.
While Log4Shell remediation should definitely be a priority right now since it is being actively exploited by attackers, implementing Spring4Shell fixes should be put on the to-do list and performed sooner rather than later.
UPDATE (April 6, 2022, 00:40 a.m. PT):
Check Point Research has spotted ~37K attempts to allocate the Spring4Shell vulnerability in the first weekend since it was found. They estimated that during the first 4 days, 16% of the organizations worldwide were impacted by exploitation attempts.