On March 29, 2022, a critical vulnerability targeting the Spring Java framework was disclosed by VMware.
This severe vulnerability is identified as a separate vulnerability inside Spring Core, tracked as CVE-2022-22965 and canonically named “Spring4Shell” or “SpringShell”, leveraging class injection leading to a full remote code execution (RCE). The zero-day vulnerability has triggered widespread concern about the possibility of a wave of malicious attacks targeting vulnerable applications.
The name “Spring4Shell” was picked because Spring Core is a ubiquitous library, similar to log4j which spawned the infamous Log4Shell vulnerability. This vulnerability affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protections in the library’s HTTP request parser, leading to remote code execution.
What Causes the SpringShell (Spring4Shell) Vulnerability?
The SpringShell vulnerability, CVE-2022-22965, lies in the Spring Framework “data binding” mechanism. This mechanism takes parameters from the request URL or request body, and assigns them to function arguments or in some cases into Java objects.
Detect Spring4Shell with Logz.io Cloud SIEM
Logz.io Cloud SIEM customers can detect Spring4Shell exploitation by scanning for potential webshell activity in access logs, and enables customers to get updated in real-time against potential attackers looking to exploit this vulnerability. Logz.io Cloud-based SIEM provides an out-of-the-box detection rule that can help detect this webshell activity:
type:/.*apache.*|.*tomcat.*/ AND (/.*(C|c)lass\..*/ OR "getRuntime" OR "getParameter")
The Spring4Shell vulnerability is a high-impact vulnerability that is easy for attackers to exploit on production environments that use vulnerable versions of Spring. Logz.io customers can enable Cloud-based SIEM today to take advantage of our detection capabilities against this vulnerability.