www.belgium.be Logo of the federal government

Warning: 2 critical vulnerabilities related to the Spring Framework (JAVA)

Référence: 
Advisory #2022-008
Version: 
1.0
Logiciels concernés : 
Spring framework
Spring Cloud Functions
Type: 
RCE
CVE/CVSS: 

CVE-2022-22965(CVSS score: 9.8) – Spring Framework Remote Code Execution
CVE-2022-22963 (CVSS score: 9.8) – Spring Cloud Function Remote Code Execution

Risques

The objective of this alert is to raise awareness about a 2 vulnerabilities in the Spring Framework/Spring Cloud Function.

The Spring Framework is widely used by both enterprise apps and cloud services. Spring is a common used lightweight Java platform application framework that allows developers to easily develop Java applications with enterprise-level features.

The Spring Cloud Function is a function computing framework based on Spring Boot, and is implemented by many tech giants including Apache OpenWhisk, AWS Lambda, Google Cloud Functions, MS Azure, and other serverless service providers.

A remote unauthenticated attacker can exploit the vulnerability. Successful exploitation could lead to a fully compromised system. Both vulnerabilities are known to be actively exploited in the wild.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If your organisation has identified an intrusion or a compromise, please report it via: cert@cert.be

Description

Spring4Shell (CVE-2022-22965) is a critical RCE vulnerability in the spring framework with a CVSS3.1 score of 9.8. A remote unauticated attacker can exploit vulnerable software to execute arbitrary code.

To exploit this vulnerability the following prerequisites are required:

  • Java JDK 9 or higher
  • Apache Tomcat
  • spring-webmvc/ spring-webflux dependency

• Vulnerable spring framework version

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older versions

CVE-2022-22963 is a RCE vulnerability in the spring cloud function with a CVSS3.1 score of 9.8. An unauthenticated attacker can exploit the vulnerability by injecting malicious SpEL (Spring Expression Language) expressions into crafted HTTP request headers by constructing specific data packets leading to arbitrary remote code execution on the target system.

The CCB urges organisations to update vulnerable software to their latest version

The CCB wants to emphasize on:

  • There are reports that these vulnerabilities are exploited in the wild, there is a poc available publicly.
  • The prevalence of the affected software in the private & public sector possibly impacts all industry verticals.
  • The risk of a potential compromise is high, the potential impact of a successful compromise is critical.

 

Actions recommandées

The recommended actions are focusing on the Spring4shell vulnerability

1) Scope

Create an inventory that includes all the software from your organisation and check per entry if the spring framework is implemented.

Please note that this vulnerability may also occur in custom developed software within your organisation, and software suites from mainstream vendors.

Please consult the following GitHub page maintained by NCSC-NL for a more comprehensive list of possible impacted software vendors.

NCSC-NL: https://github.com/NCSC-NL/spring4shell

2) Patch

To prevent the library from being exploited, it's urgently recommended that vulnerable software is patched as soon as possible
Patches are available via Spring.io: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

•    Spring Framework versions 5.3.18 and 5.2.20
•    Spring Boot versions 2.5.12 and 2.6.6
•    Tomcat versions 10.0.20, 9.0.62, and 8.5.78

Please consult the following GitHub page maintained by NCSC-NL for a more comprehensive list of possible impacted software vendors and specific information regarding which version contains the security fixes, and which software still requires mitigation.

NCSC-NL: https://github.com/NCSC-NL/spring4shell

3) Monitor/Detect

The CCB advises organisations to upscale monitoring and detection capabilities, to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Organisations can identify if they're targeted by examining the log files for any services using affected spring framework versions.

Yara rules: https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4s...
Splunk queries: https://github.com/west-wind/Spring4Shell-Detection