Spring4Shell

What is this Spring framework vulnerability?

Wendy Rodriguez

In the software world, Spring is a popular framework used by developers to build applications. However, just like in any system, it can sometimes have vulnerabilities or flaws. The Spring4Shell vulnerability is one such flaw. It is a weakness within Spring Framework that allows attackers to inject malicious commands or scripts into the system, potentially gaining unauthorized access or control over an application.

What is Spring Framework?

Spring Framework, whose parent company is VMware, is an open-source framework that provides comprehensive infrastructure support to develop applications in the Java programming language. It was created to simplify the development of enterprise-level applications and promote good programming practices and design patterns. It offers a lot of features and modules that help developers build robust and scalable applications. Some key features of Spring Framework are:

Dependency injection: This feature allows objects to be loosely coupled and promotes easier testing and maintainability by reducing dependencies between components.
Aspect-oriented programming: AOP enables developers to implement cross-cutting concerns, for example data logging, and apply them to several parts of the application.
Model-view-controller: It’s a web framework provided by Spring that makes the development of web applications easier. It follows the MVC architectural pattern to separate concerns and provides features for handling requests, managing views, and processing forms.
Data access: Spring provides a consistent and simple approach to data access through the Spring Data module. It offers support for different databases like JDBC, Redis, JPA, and NoSQL.
Security: Spring Security is a module that provides both authentication and authorization mechanisms to ensure application security. It offers features like user authentication, access control, and protection against common security vulnerabilities.

These, among many other features, simplify the development of Java applications and promote good software development practices by providing a complete set of tools for building large-scale, technologically specialized applications.

What is the Spring4Shell vulnerability?

Spring Framework experienced important setbacks in March of last year. The first one was tracked in CVE-2022-22963, affecting Spring Cloud. The impact this vulnerability had was quite high because it was easy to exploit, yet, it was rather low in terms of availability, since it only affected services running Spring Cloud in version 3.1.6 and earlier (for 3.1.x), and 3.2.2 and earlier (for 3.2.x). It was patched soon after it was found. However, a couple of days after the fix, on March 29, 2022, a more severe vulnerability affecting Spring Framework was found. Tracked in CVE-2022-22965, the vulnerability affected Spring MVC and Spring WebFlux applications using JDK 9 or higher. The affected application needed to be running on Tomcat as a WAR deployment to exploit it. The nature of the vulnerability was general and there were several ways of exploiting it, allowing attackers to load arbitrary malicious code into the application and execute it. Dubbed Spring4Shell because of its resemblance to another remote code execution (RCE) vulnerability, Log4Shell; Spring Framework was greatly compromised because of its extensive use in developing web applications. Spring tried to be quick in releasing known information on the vulnerability and provided a workaround for its users. We’ll be discussing the Spring4Shell vulnerability in this post, as there are others disclosed in the same framework but either less critical or less extended.

Get started with Fluid Attacks' Vulnerability Management solution right now

Spring4Shell exploitation

Attackers can exploit Spring4Shell vulnerability by sending a specially crafted request to a web server running the Spring Core framework. The request must contain certain types of parameter binding, which is used to load the malicious code, and once loaded, it can be executed by the application, giving the attacker control over it. In impacted versions of Spring Framework, remote code execution can be achieved by exploiting the RequestMapping annotation feature through the crafted request. By taking advantage of this feature, an attacker can access and modify nested class properties due to how Spring Core performs the request parameter binding using serialization.

According to Microsoft, these are the traits the impacted systems have:

Running JDK 9.0 or later.
Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
Apache Tomcat as the Servlet container.
Packaged as a traditional WAR file (not as a Spring Boot executable JAR).
Dependency on spring-webmvc or spring-webflux.

Spring4Shell consequences and impact

A successful Spring4Shell vulnerability attack can have severe consequences that include sensitive data being stolen, like customer information, financial data, or intellectual property. Attackers could also install malware on the victim’s system or take control of it. Some threat actors could also penetrate and install a web shell, which compromises web servers, and use it to launch further attacks. Notably, while a large number of Spring installations were vulnerable, not all Spring applications were penetrated.

The impact Spring4Shell had in 2022 was global, having its biggest effect in Europe, where 20% of the organizations using Spring Framework saw at least one attempt of exploitation. By industries, the most targeted sectors were software vendors, followed by the education and research sectors, as well as the insurance and legal sectors.

Spring4Shell vs. Log4Shell

These vulnerabilities allow remote code execution attacks, but are present in two different frameworks used in Java application development that serve different purposes. Both were generated in open-source components and were exploited as zero-day vulnerabilities and have a qualitative CVSS score of critical; however, they have important differences.

Log4Shell is a vulnerability in the Log4j logging framework, i.e., it can be used to log messages during application runtime. Log4Shell is relatively easy to exploit, it can affect a wide range of Java applications, including web servers, cloud services and IoT devices, and could lead to complete system compromise. On the other hand, Spring4Shell, a vulnerability in Spring Framework, is more difficult to exploit and affects a smaller number of applications.

In order to exploit a Spring4Shell vulnerability, an attacker must be able to control the values of certain types of parameters. It requires the attacker to have knowledge of the targeted environment, the types of parameters that are vulnerable, and how to control their values, all of which is knowledge not readily available to attackers. This is more difficult than exploiting Log4Shell, which involves leveraging the way that Log4j construes certain log messages.

Despite being more difficult to exploit, Spring4Shell is still a serious vulnerability since the developers using Spring must first identify the vulnerability and then proceed with a step-by-step process to fix it. Fluid Attacks has its own testing methods for software composition analysis (SCA), that can scan for and reveal cybersecurity risks related to open-source and third-party components, like Log4j and Spring Framework.

Spring4Shell mitigation and fix

To solve this issue, it is necessary to upgrade Spring Framework to a version higher than 5.2.20 or 5.3.18, and, if Spring Boot is used, upgrade to a version higher than 2.6.6. Patching applications that use any of the affected versions is imperative. Update to a patched version by modifying the application’s Maven, Gradle, or other dependency management files, and afterwards, rebuilding and deploying the application again.

If for some reason an upgrade of the Spring Framework version is not possible, the Spring team provided viable workarounds to mitigate the vulnerability, like upgrading to JDK 8 or disallowing binding to certain fields.

Safeguards against Spring4Shell-like vulnerabilities

Additional actions that can be taken to protect applications from issues like Spring4Shell or others within Spring Framework include:

Using a web application firewall (WAF) to filter out malicious HTTP requests.
Implementing input validation to prevent attackers from injecting malicious code into an application.
Monitoring for new vulnerabilities by subscribing to official security advisories and mailing lists related to Spring Framework, as well as other relevant security sources, in order to stay up to date.
Managing vulnerabilities that could be potential gateways to bigger cyberattacks. This grand perspective of vulnerabilities is in service of finding zero-day issues and seeking their swift remediation. Here at Fluid Attacks, we pair scanning tools with ethical hackers that map vulnerabilities to find the greatest impact. This process is supported by our platform, delivering reports that facilitate vulnerability management.
Using a static application security testing (SAST) tool to scan applications for vulnerabilities. Fluid Attacks offers SAST, among other techniques, which analyzes and assesses systems, with the added bonus of providing feedback to developers, searching for known vulnerabilities effortlessly, with precision and fast execution across the entire SDLC. It is performed in both our Essential plan and Advanced plan.
Conducting continuous penetration testing on web applications helps detect vulnerabilities and weaknesses which could be potentially exploited and, often, cannot be found by tools. At Fluid Attacks, we go a step further with our penetration testing, because it’s done by our certified and highly skilled ethical hackers, who are equipped to detect this type of vulnerability and provide detailed reports that aid the remediation process.

Spring4Shell vulnerabilities are critical ones, but it does not mean that the use of Spring Framework is discouraged, in fact, unlike other technologies, the Spring community has been working continuously for two decades and fixing the reported flaws usually within a few days.

Fluid Attacks has the grip on vulnerability management

It’s important for organizations and developers to be aware of vulnerabilities like Spring4Shell; knowing which applications use Spring Framework (and could be, therefore, exposing the system to attacks) is to be ahead of the curve. By doing so, organizations and developers can ensure the security and integrity of their applications and protect their end-users from potential attacks. The first step to manage vulnerabilities is to have tools that can detect them, and here in Fluid Attacks, you can count on our comprehensive service, Continuous Hacking, that not only includes automated tools like SAST or SCA, but also penetration testing done by professional ethical hackers who find, exploit and report vulnerabilities in your software. Our Advanced plan offers just that, a robust combination of human knowledge and scanning tools, making your software deployment bulletproof. You can also click here to try our Continuous Hacking Essential plan free for 21 days. Don’t hesitate to contact us and get started with our solutions now.

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.