SpringShell: Patches released for critical zero-day
Initial analysis indicates that the bug may not be as severe as Log4Shell
The Spring team has released an emergency patch to address a new critical remote code execution (RCE) flaw that affects any application using the Spring Framework and could enable an unauthenticated attacker to execute arbitrary code on a vulnerable system and gain control of it.
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other earlier, unsupported versions are all affected by this vulnerability, which is called "Springshell" and tracked as CVE-2022-22965.
A description of the vulnerability says a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to the RCE via data binding.
"The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit."
It warns however that the nature of the flaw is more general and there may be additional ways to attack it.
The following are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Spring Framework is a popular application development framework for enterprise Java.
According to security vendor Sonatype, the vulnerability stems from a previously exploited issue (CVE-2010-1622) in Spring which was patched in the past, but became vulnerable again due to a feature in JDK9 or newer.
On Thursday, Spring published Spring Framework 5.3.18 and 5.2.20, which includes the patches for the issue.
Spring Boot 2.6.6 and 2.5.12, which rely on Spring Framework 5.3.18, have also been released, with six bug fixes, improved documentation, and dependency updates.
It is advised that users update to version 5.3.18 or later, as well as version 5.2.20 or later.
The patch arrived after a Chinese-speaking researcher briefly uploaded a GitHub commit containing proof-of-concept (PoC) attack code for CVE-2022-22965 on March 30, 2022.
Spring.io, a VMware subsidiary, said it was first notified of the vulnerability late Tuesday evening by codeplutos, meizjm3i of AntGroup FG Security Lab.
Praetorian security experts validated the vulnerability and said they have built a working exploit for the flaw.
"We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place," the researchers said in a blog post.
"In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective," they added.
According to many media sources, the flaw might be the 'new Log4Shell', similar to the RCE vulnerability in Apache Log4j that was discovered in December and affected a large number of enterprises.
However, preliminary investigation indicates that 'SpringShell' differs significantly from Log4Shell and is most likely not as severe.
Experts at cyber company Flashpoint noted that while some may equate SpringShell to Log4Shell, the vulnerability is not comparable at a deeper level.
Security expert Chris Partridge said the new bug is not likely to lead to a "cataclysmic event such as Log4Shell".
"This vulnerability appears to require some probing to get working, depending on the target environment," Partridge said.