UPDATE : April 12, 2022
As a summary and update to this evolving situation, the NTT Application Security teams have collaboratively investigated and assessed the impact of Spring4Shell RCE (CVE-2022-22965) on both our internal systems and for our customers:
In terms of Software Composition Analysis (SCA), it is a straightforward check for affected components. But in terms of Dynamic Analysis (DAST), a more robust testing method is required. After rigorous research and testing, our engineering teams have developed testing scenarios beyond the original, publicly available Spring4Shell proof of concept exploits so that we ensure our products are offering robust coverage. Our proprietary scan engine composes contextualized requests across the attack surface of a web application triggering fewer non-related validation errors. This contextualized method ensures high efficacy rates.
NTT Application Security will continue actively testing in parallel with research to further expand coverage to deliver true positive results across our product portfolio for our customers.
UPDATE : April 6, 2022
The NTT Application Security team is continuing to actively test for the Spring4Shell vulnerability. As we conduct our research, we are committed to developing tests that are both accurate and production-safe for our customers’ environments. We will continue to monitor and validate potential detections and provide updates as information becomes available.
UPDATE: April 1, 2022
While the “Spring4Shell” Remote Code Execution (RCE) vulnerability is serious, remediation patches have been newly provided. The affected versions of Apache Tomcat have closed the attack vector. And Spring has released an update to its core framework which is available for download from Maven Central Repository. Additional notes from the Spring Framework website:
The NTT Application Security Team has been diligently working to determine the impact of Spring4Shell on both our internal systems and our customers:
UPDATE: March 31, 2022
This week a new zero-day Remote Code Execution (RCE) vulnerability was discovered in the Spring Core framework. Named “Spring4Shell,” this exploitable vulnerability has been assigned a dedicated CVE-2022-22965.
What We Know
While this vulnerability could allow an attacker to remotely execute malicious code on a computing device, this flaw seems to only be exploitable in certain configurations. This vulnerability is similar to “Log4Shell” but not as widespread according to currently known information.
What is impacted?
“Spring4Shell” impacts Spring MVC and Spring WebFlux applications running on JDK 9+. To be specific, the dependencies impacted are:
Are You Impacted?
While this vulnerability is serious, there is no cause for panic. This vulnerability is not as serious as “Log4Shell” as there are certain requirements needed for carrying out a successful attack:
(Reference: Spring Framework RCE, Early Announcement)
How can I find the framework in Sentinel?
Can I currently find this with my assessment tools?
NTT Application Security Recommendation
NTT Application Security Sentinel Source SAST/SCA and Vantage Inspect (SAST) users can identify if they are currently using the spring-webmvc or spring-webflux dependency as well as which version is in use. Once identified, we recommend patching those applications impacted and work further with your development teams to identify additional requirements.
As this is a late breaking vulnerability we are still gathering and updating guidance as information becomes available as to its impact.
What if we can’t upgrade our Spring Framework?
There are suggested workarounds found on the Spring website: Spring Framework RCE, Early Announcement
Stay Tuned: Future messaging will be provided via the NTTAS Blog