A CVE has been assigned and the vulnerability is now known as CVE-2022-22965 (aka SpringShell). This CVE is confirmed to have a Critical score (cvss 9.8) and affects the following Spring Framework versions: - 5.3.0 to 5.3.17 - 5.2.0 to 5.2.19 - Older, unsupported versions are also affected
Update: Triskele Labs is aware of a vulnerability present in the Spring Cloud function known as CVE-2022-22963 (Spring Expression Resource Access Vulnerability). Exploitation of this vulnerability can result in remote code execution and is present in Spring Cloud function versions 3.1.6, 3.2.2 and older.
Triskele Labs advises patching the Spring Cloud function to versions 3.1.7+ or 3.2.3+ to prevent exploitation.
The purpose of this alert is to bring urgent attention to a bug present in the Spring Core module of the Java Spring Framework.
The bug results in an unauthenticated Remote Code Execution (RCE) vulnerability. Active exploitation of this vulnerability is likely occurring in the wild as Proof-of-Concept Code has been released.
The use of this framework is extremely common, and Triskele Labs advises that any organisation utilising Java-based software to immediately check for the presence of this framework and follow the remediation steps outlined below.
On 31 March 2022, a Chinese speaking researcher known as helloexp published a GitHub commit providing Proof of Concept code for a critical vulnerability present in the Spring Core module of the popular Java Spring Framework. Default installations of widely used enterprise Java-based software utilise this framework.
The impact of exploiting this framework is remote code execution resulting in full system control. Remote Code Execution can grant Threat Actors the ability to install malicious software and webshells or perform other malicious actions. The vulnerability impacts JDK9 version (and above) of the Spring framework.
Triskele CTI notes that users on various Chinese speaking blogs have been actively discussing the vulnerability and Proof of Concept code in the days before its release.
If you are utilising versions of JDK 9 and above and any of your applications utilise the Spring Framework or a framework derived from Spring, Triskele Labs recommends adopting an assumed breach mentality and reviewing logs for impacted applications with unusual activity.
To determine if your version of JDK is vulnerable, run the ‘java-version’ command on systems. Ensure that the version number is less than or equal to 8.
Triskele Labs recommends downgrading JDK 9 to a lower version as a temporary measure until a patch is released. Additional guidance for Spring Core detection in your environment can be found in the following notification from technology blog Cyber Kendra: https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
Managed Detection and Response are monitoring for suspicious activity within customer environments.
Deployed SIEM and EDR agents on servers and endpoints will aid in detecting a threat actor successfully accessing an environment and commencing reconnaissance.
References used for the generation of this release: