Triskele Labs Blog

Security Bulletin - Spring Core Zero Day Against Java-based Software

Written by Nick Morgan | Mar 30, 2022 5:06:03 PM

Published Date: 31/03/2022

Update 2 - 01/04/2022

Spring has released an Early Announcement blog post addressing the Remote Code Execution vulnerability present in Spring Core located here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#misconceptions

A CVE has been assigned and the vulnerability is now known as CVE-2022-22965 (aka SpringShell). This CVE is confirmed to have a Critical score (cvss 9.8) and affects the following Spring Framework versions:
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected

The Spring Framework announcement suggests updating to either Spring Framework 5.3.18 or 5.2.20 or to follow a list of workarounds. The updated Framework is also available in Spring Boot version 2.6.6, for which the upgrade guidance can be found here: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.6-Release-Notes

Triskele Labs are aware of a local scanner that has been released, which is reported to detect vulnerable versions of Spring. This can be found at: https://github.com/hillu/local-spring-vuln-scanner

Triskele Labs notes that mass scanning for the Spring Core vulnerability is occurring, as reported by Threat Intelligence company Bad Packets here: https://twitter.com/bad_packets/status/1509603994166956049

Update 1 - 31/03/2022

Update: Triskele Labs is aware of a vulnerability present in the Spring Cloud function known as CVE-2022-22963 (Spring Expression Resource Access Vulnerability). Exploitation of this vulnerability can result in remote code execution and is present in Spring Cloud function versions 3.1.6, 3.2.2 and older.

The CVSS score for this vulnerability is 5.4 (medium severity) however Triskele Labs has observed active exploitation of this vulnerability in the wild, likely due to released Proof of Concept Code available here: https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE and the increased interest in Spring thanks to the zero day present in Spring Core. Active exploitation can be observed here: https://www.greynoise.io/viz/tag/spring-cloud-function-spel-rce-attempt.

Triskele Labs advises patching the Spring Cloud function to versions 3.1.7+ or 3.2.3+ to prevent exploitation.

Purpose

The purpose of this alert is to bring urgent attention to a bug present in the Spring Core module of the Java Spring Framework.

The bug results in an unauthenticated Remote Code Execution (RCE) vulnerability. Active exploitation of this vulnerability is likely occurring in the wild as Proof-of-Concept Code has been released.

The use of this framework is extremely common, and Triskele Labs advises that any organisation utilising Java-based software to immediately check for the presence of this framework and follow the remediation steps outlined below.   

Details

On 31 March 2022, a Chinese speaking researcher known as helloexp published a GitHub commit providing Proof of Concept code for a critical vulnerability present in the Spring Core module of the popular Java Spring Framework. Default installations of widely used enterprise Java-based software utilise this framework.

The impact of exploiting this framework is remote code execution resulting in full system control. Remote Code Execution can grant Threat Actors the ability to install malicious software and webshells or perform other malicious actions. The vulnerability impacts JDK9 version (and above) of the Spring framework.

The Triskele Labs CTI team advises that the Proof-of-Concept (POC) code exploiting the vulnerability was made available on 31 March December 2022 on a public GitHub located at https://github.com/helloexp/0day/tree/14757a536fcedc8f4436fed6efb4e0846fc11784/22-Spring%20Core. This publicly available POC code enables Threat Actors a direct route to exploiting vulnerable versions of the Spring Framework present within Java based applications.

Triskele CTI notes that users on various Chinese speaking blogs have been actively discussing the vulnerability and Proof of Concept code in the days before its release.

Mitigation Actions

If you are utilising versions of JDK 9 and above and any of your applications utilise the Spring Framework or a framework derived from Spring, Triskele Labs recommends adopting an assumed breach mentality and reviewing logs for impacted applications with unusual activity.

To determine if your version of JDK is vulnerable, run the ‘java-version’ command on systems. Ensure that the version number is less than or equal to 8.

Triskele Labs recommends downgrading JDK 9 to a lower version as a temporary measure until a patch is released. Additional guidance for Spring Core detection in your environment can be found in the following notification from technology blog Cyber Kendra: https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

Detection Capability

Managed Detection and Response are monitoring for suspicious activity within customer environments.

Deployed SIEM and EDR agents on servers and endpoints will aid in detecting a threat actor successfully accessing an environment and commencing reconnaissance.

References

References used for the generation of this release: