On March 30, 2022, we received word through our channels of a remote code execution vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code.
This uploaded exploit targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof-of-concept, which appeared to allow unauthenticated attackers to execute code on target systems, was exploited quickly.
What Are We Doing?
1. Actively monitoring public data streams pertaining to this situation. We are also researching with Rapid7’s research team who can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution.
Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also confirmed the vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.
It affects Spring MVC and Spring WebFlux applications running on JDK 9+. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.
While Rapid7 does not have a direct detection in place for this exploit, they do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.
2. Informing our SOC Analysts of the investigation and providing them with the necessary briefings to deploy any defenses provided by our partners.
3. Reinforcing our recommendations by communicating the need for layered security and applying rock solid standards provided by public vendor neutral agencies like the Center for Internet Security. The goal of these standards is a stronger, robust layering of protective measures for our FIT clients.
What You Can Do
The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. As of 10AM, EDT March 31, 2022, CVE-2022-22965 has been assigned to this vulnerability.
Spring has confirmed the zero-day vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.
Evaluate your environment for this vulnerability and patch as needed. We are big fans of the work performed by the Center for Internet Security (CIS). CIS is a nonprofit organization, formed in October 2000.
Its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.
Spring4J would be best mitigated by applying the CIS Controls:
Control 02 – Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Control 08 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Control 12 – Network Monitoring & Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
If you have any questions about how to further implement these controls in your environment, FIT Cybersecurity would love to provide guidance and help you improve your security posture.
— The FIT Cyber Team