CVE-2022-22965: Unauthenticated RCE zero-day vulnerability in Spring Core (Live updates)

What do we know about Spring4Shell?

The Spring framework is a relatively common set of functionalities to include when building web applications in Java. It currently has a vulnerability in one of its components, which is exploitable when running on JDK 9 or later. The vulnerability stems in a bypass of CVE-2010-1622.

The Spring4Shell vulnerability relies on deserialization which is the root of the problem. It occurs when something like text is taken to construct “objects” within the running process, and by knowledge on how this can be done, successful creation of specific such objects using the flaw can lead to remote code execution (RCE). This means an attacker can infiltrate a payload aimed at a Spring application and gain full access of the system. The current known forms of attack rely on an endpoint with DataBinder enabled allowing loading of arbitrary classes, which can be leveraged by threat actors. A breakdown of the POC can be found here Dissecting Spring4Shell - Blueliv

As this is a standard and massively popular framework for building modern Java-based enterprise applications, any application using it is susceptible to exploitation through creation of object initializations. Spring has acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue.

How similar is this to Log4Shell / Log4j?

This is a vulnerability in a linked component that can trigger in relatively unexpected ways in applications, and as a developer you may or may not be aware that it is linked in your project, or in a third-party project you in turn use in your code. It’s essentially like if you have constructed something from pre-made parts, and one of those parts is inherently bad in its design. Now regardless of the quality of your parts, the product in its entirety suffers from that issue from the bad component. Imagine building a car and using another manufacturer’s breaks – which turns out to fail under stress. This is similar to that, but in software.
 

Is this the new Log4j and how you can become vulnerable?

What do security teams need to do?

Essentially, it’s a heads up and if you have continuous and automated monitoring you are protected. However, be ready to patch as updates become available, and if you can run your web application behind a WAF that can intercept the attack, and do not run internet facing sites with applications on a network where they, if breached, can reach other more sensitive internal systems.

For Outpost24 customers, an escalated release for authenticated detection of this CVE is available on Friday, 1 April.