Flashpoint and Risk Based Security have analysed a new remote code execution (RCE) bug called “SpringShell”, that affects the spring-core artifact, a popular framework used extensively in Java applications, particularly those running Java Platform, Standard Edition 9 (JDK9) or newer.
The security community is speculating that SpringShell might be as impactful as Log4Shell, however, researchers say they are still collecting information to help security teams decide if they should prioritise the issue.
Log4Shell is a vulnerability in Log4j, a Java-based logging utility, which was under the spotlight in December, which if left unmitigated, could enable a bad actor to execute arbitrary Java code to take control of a target server.
The vulnerability has been assigned CVE-2022-22965.
According to Sonatype, The vulnerability affects the spring-beans and spring artifacts, a highly popular framework used widely in Java applications. It is a bypass for an older CVE, CVE-2010-1622 that due to a feature in JDK9 or newer seems to have been reinstated.
Poisoning payloads
Sonatype says Spring has also confirmed the currently known forms of attack require JDK9, tomcat (a Web application that can be used interactively or programmatically to deploy and manage Web applications), and the application to be packaged as a Web application resource file or war.
“This type of vulnerability relies on the software deserialising code, which is at the root of the problem,” says Sonatype. “Older versions of Spring allow for Java Reflection, which is the reason why many RCE flaws have historically been observed.”
In this way, a threat actor can poison a payload aimed at a Spring application and gain total control of the system. The current known forms of attack rely on a constructor of the DataBinder functionality that allows loading of arbitrary classes, which can be used by attackers.
“This vulnerability affects any application that uses Spring Framework and impacts most known versions to date,” adds Sonatype. “Spring is one of the most popular frameworks in Java, comparable in scale, to Struts.”
A matter of hours till exploitation
As the community has learned from past experience, it is probably only a matter of hours before the vulnerability gets exploited in the wild. Sonatype “highly encourages” all customers to mitigate and be ready to upgrade when a fix is released.
In fact, the company says in the case of the Log4Shell vulnerability, opportunistic malefactors began quickly exploiting the weakness as soon as a proof-of-concept (PoC) came to light.
“It's also important to note attack vectors will evolve over time and as attention grows new vulnerabilities may be discovered,” says Sonatype.
A PoC for remote execution has already been published and validated for Spring Core, and leverages the vulnerability to modify Tomcat logging configuration to place shellcode into the log file and then achieve remote code execution.
However, Praetorian says there are ways to mitigate the risk. In Spring Framework, DataBinder has functionality to disallow certain patterns, and as a temporary mitigation for this vulnerability, the security company advises organisations to create a ControllerAdvice component (which is a Spring component shared across Controllers) and add dangerous patterns to the deny list.
Share