logo NTT APPSEC
Breaking News

Critical Alert: Spring4Shell RCE Vulnerability (CVE-2022-22965)

UPDATE : April 12, 2022
As a summary and update to this evolving situation, the NTT Application Security teams have collaboratively investigated and assessed the impact of Spring4Shell RCE (CVE-2022-22965) on both our internal systems and for our customers:

  • Internally: The internal NTTAS security team determined that we are not affected.
  • Customers: Our engineers have updated our product portfolio with tests for Spring4Shell in both our managed Sentinel and Vantage self-service product platforms:
  • Sentinel Source: Customers’ SCA results are delivered through the “Component Analysis” tab and sub-tab in our platform.
  • Sentinel Dynamic: The Detection Research team successfully developed and deployed a unique testing method based on the proprietary contextualization capabilities of our scan engine. We are currently validating and reporting results of our DAST testing to customers.
  • Vantage Inspect: Customers’ Intelligent SCA results are delivered through the “Reporting” tab and “Dependencies” sub-tab.
  • Vantage Prevent: The Innovations team successfully developed a Spring4Shell attack module with logging which will be distributed April 18th via our public Distribution Repository.

In terms of Software Composition Analysis (SCA), it is a straightforward check for affected components. But in terms of Dynamic Analysis (DAST), a more robust testing method is required. After rigorous research and testing, our engineering teams have developed testing scenarios beyond the original, publicly available Spring4Shell proof of concept exploits so that we ensure our products are offering robust coverage. Our proprietary scan engine composes contextualized requests across the attack surface of a web application triggering fewer non-related validation errors. This contextualized method ensures high efficacy rates.

NTT Application Security will continue actively testing in parallel with research to further expand coverage to deliver true positive results across our product portfolio for our customers.

—————————————————————————————————————————————————————————————————————–

UPDATE : April 6, 2022

The NTT Application Security team is continuing to actively test for the Spring4Shell vulnerability. As we conduct our research, we are committed to developing tests that are both accurate and production-safe for our customers’ environments. We will continue to monitor and validate potential detections and provide updates as information becomes available.

———————————————————————————————————————————————————————————-

UPDATE: April 1, 2022

While the “Spring4Shell” Remote Code Execution (RCE) vulnerability is serious, remediation patches have been newly provided. The affected versions of Apache Tomcat have closed the attack vector. And Spring has released an update to its core framework which is available for download from Maven Central Repository. Additional notes from the Spring Framework website:

  • The vulnerability involves ClassLoaderaccess, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader.
  • The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttributeor optionally without it, and without any other Spring Web annotation.
  • The issue does not relate to @RequestBodycontroller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.

The NTT Application Security Team has been diligently working to determine the impact of Spring4Shell on both our internal systems and our customers:

  • Internally: After a thorough investigation, the internal NTTAS security team has determined that we are not affected by the CVE.
  • Customers: Our engineers are working to update our product portfolio to detect Spring4Shell in both our managed and self-service product platforms:
    • Sentinel Source: See March 31st guidance listed below
    • Sentinel Dynamic: The NTTAS Research team is actively working on detecting Spring4Shell and will have a test in place mid-week to detect this vulnerability.
    • Vantage Inspect: See March 31st guidance listed below
    • Vantage Prevent: The NTTAS Research team is actively working on detecting Spring4Shell and will have a test available in the next Prevent update

————————————————————————————————————————————————————-

UPDATE: March 31, 2022

This week a new zero-day Remote Code Execution (RCE) vulnerability was discovered in the Spring Core framework. Named “Spring4Shell,” this exploitable vulnerability has been assigned a dedicated CVE-2022-22965.

What We Know

While this vulnerability could allow an attacker to remotely execute malicious code on a computing device, this flaw seems to only be exploitable in certain configurations. This vulnerability is similar to “Log4Shell” but not as widespread according to currently known information.

What is impacted?

“Spring4Shell” impacts Spring MVC and Spring WebFlux applications running on JDK 9+. To be specific, the dependencies impacted are:

  • spring-webmvc
  • spring-webflux

Are You Impacted?

While this vulnerability is serious, there is no cause for panic. This vulnerability is not as serious as “Log4Shell” as there are certain requirements needed for carrying out a successful attack:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependencies
  • Spring Framework versions:
    • 3.0 to 5.3.17
    • 2.0 to 5.2.19
    • And older versions

(Reference: Spring Framework RCE, Early Announcement)

How can I find the framework in Sentinel?

Currently, you will only be able to find this information in Sentinel or Vantage if you are a Sentinel Source (SAST/SCA) or Vantage Inspect (SAST/Intelligent-SCA) customer:

Sentinel Source:

  • Navigate to the “Component Analysis” Tab
  • Click “Component Analysis” sub-tab
  • Select the blue “Filter” button
  • In the “Framework” field type in “spring-webmvc” or just “spring” and click “Filter” again
  • In your results, you should be able to see your Current Version to see whether it falls within the previously mentioned versions.

Vantage Inspect:

  • Navigate to the “Reporting” Tab
  • Click “Dependencies” sub-tab
  • Search for CVE-2022-22965

Can I currently find this with my assessment tools?

  • Sentinel Dynamic (DAST): No
  • Sentinel Source (SAST/SCA):
    • SAST: No
    • SCA: Yes
  • Vantage Inspect (SAST): Yes (Intelligent SCA)
  • Vantage Detect: No

 

NTT Application Security Recommendation

NTT Application Security Sentinel Source SAST/SCA and Vantage Inspect (SAST) users can identify if they are currently using the spring-webmvc or spring-webflux dependency as well as which version is in use. Once identified, we recommend patching those applications impacted and work further with your development teams to identify additional requirements.

As this is a late breaking vulnerability we are still gathering and updating guidance as information becomes available as to its impact.

What if we can’t upgrade our Spring Framework?

There are suggested workarounds found on the Spring website: Spring Framework RCE, Early Announcement

Stay Tuned: Future messaging will be provided via the NTTAS Blog

References: