A critical vulnerability in VMWare’s Spring Core Java framework named CVE-2022-22965, or Spring4Shell, was leaked by a security researcher ahead of an official CVE publication.
The Spring Framework is a widely used open-source framework that provides a comprehensive programming and configuration model for modern Java-based enterprise applications.
The widespread use of the Spring Framework, its publicly available exploit code, and its susceptibility to remote code execution all contribute to the critical CVSS rating given to this vulnerability.
What is CVE-2022-22965?
CVE-2022-22965 also called Spring4Shell is a vulnerability in the Spring Core Java framework that could allow unauthenticated remote code execution in Spring MVC and Spring WebFlux applications running on JDK 9+. The exploit requires the vulnerable application to run on Tomcat as a WAR deployment.
The vulnerability abuses the RequestMapping annotation used in the Spring Framework and allows the injection of Java objects into legitimate request handlers, which opens the door to the injection of malicious curl commands that can modify Tomcat logging properties and the upload of webshells to the vulnerable Tomcat root directory.
Which systems are susceptible to Spring4Shell?
The conditions listed below must be met to exploit a Java application running on Spring Framework:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Affected products and versions:
- Spring Framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Why should you care?
Proof-of-concept code for CVE-2022-22965 is widely available and is likely to be weaponized by threat actors. In certain configurations, exploitation of Spring4Shell only requires an attacker to send a specially crafted HTTP request to a vulnerable system. If successful, an unauthenticated attacker would be allowed to execute arbitrary code on the target system.
Due to the widespread use of the Spring Framework and the severity of the vulnerability CVE-2022-22965 has been given a critical (CVSS score of 9.8) rating.
How Tanium can Help
VMWare recommends that affected customers upgrade to version 5.3.18 or higher, or version 5.2.20 of higher, depending on application requirements. Workarounds for customers who are unable to upgrade at this time are identified in the Spring Framework RCE, Early Announcement blog response.
Tanium has several tools that can help customers quickly and easily find assets that are impacted by the Spring4Shell vulnerability, remediate, and track the vulnerability.
Tanium Interact can be used to identify systems that may be vulnerable across the enterprise. It gives responders the ability to ask questions of their endpoints and receive rapid and comprehensive answers.
The Tanium Reveal Quick Search feature can be used to quickly identify potential targets for further investigation.
Given the dynamic nature of today’s endpoint environments, consider Tanium Asset and Tanium Trends for ongoing tracking. Tanium Asset delivers a comprehensive inventory of hardware and software assets, while Tanium Trends provides continuous insight into security metrics and operational health.
Please read this article for more information from our Tanium Community on how to use these products to find, patch and track CVE-2022-22965. And for information to help with similar vulnerabilities, visit our Emerging Issues Blog.