Spring4Shell: Zero-Day Vulnerability in Spring Framework

What Happened?

On March 30, 2022, we received word through our channels of a remote code execution vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code.

This uploaded exploit targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof-of-concept, which appeared to allow unauthenticated attackers to execute code on target systems, was exploited quickly.

What Are We Doing?

1. Actively monitoring public data streams pertaining to this situation. We are also researching with Rapid7’s research team who can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution.

Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also confirmed the vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

It affects Spring MVC and Spring WebFlux applications running on JDK 9+. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.

While Rapid7 does not have a direct detection in place for this exploit, they do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.

2. Informing our SOC Analysts of the investigation and providing them with the necessary briefings to deploy any defenses provided by our partners.

3. Reinforcing our recommendations by communicating the need for layered security and applying rock solid standards provided by public vendor neutral agencies like the Center for Internet Security. The goal of these standards is a stronger, robust layering of protective measures for our FIT clients.

What You Can Do

The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. As of 10AM, EDT March 31, 2022, CVE-2022-22965 has been assigned to this vulnerability.

Spring has confirmed the zero-day vulnerability and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Evaluate your environment for this vulnerability and patch as needed. We are big fans of the work performed by the Center for Internet Security (CIS). CIS is a nonprofit organization, formed in October 2000.

Its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.

Spring4J would be best mitigated by applying the CIS Controls:

Control 02 – Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Control 08 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Control 12 – Network Monitoring & Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

If you have any questions about how to further implement these controls in your environment, FIT Cybersecurity would love to provide guidance and help you improve your security posture.

 

— The FIT Cyber Team

Serious Cybersecurity Vulnerabilities: Apache Log4j & SMA-3217

UPDATE — 12/18/21

There have been more developments in the ongoing remediation of the Log4j logging library and connected vulnerabilities.

The initial patch, version 2.15.0, that aimed to resolve the remote code execution vulnerability described in CVE-2021-44228 was found to be incomplete and led to the discovery of CVE-2021-45046. Initially thought to be a minor DoS vulnerability, CVE-2021-45046 was assigned a CVSS of 3.7. As of late yesterday, CVE-2021-45046 was elevated to a CVSS of 9 due to newly discovered attack vectors that would allow bad actors to exfiltrate data. A patch was quickly released in version 2.16.0 to remediate it.  Earlier this morning, a new flaw was identified in the patch version 2.16.0 that has required a new patch release (version 2.17.0) and a new vulnerability tracking ID of CVE-2021-45105. The identified flaw is a severe DoS vulnerability that would allow bad actors to perpetrate Denial-of-Service attacks against affected assets. CVE-2021-45105 has been assigned a CVSS of 7.5.

The risk with these vulnerabilities not only rests in active use of the Log4j library within production applications developed by your company, but also in several standard workplace applications and solutions that also utilize it. Log4j is one of the most ubiquitous logging libraries and is used in a plethora of applications and solutions. It is likely that some of the applications you use in your environment are affected and therefore vulnerable. These are called nested vulnerabilities as they stem from a utility that is used within standardly deployed applications and are dependent on patch releases from the vendor to remediate.

 

FIT’s Response:

FIT is continuing to monitor the situation closely and apply patches as they become available. FIT engineering will be reaching out as patches are released to setup emergency patching windows for FIT IT managed clients.

 

Recommendations:

If you are currently utilizing Log4j in your development or infrastructure, FIT recommends immediately applying the patch in version 2.17.0 (Java 8).

Additionally, these vulnerabilities have highlighted the importance of running a full application inventory of your environment and monitoring attack surface lists of affected applications to compare. It is critical to apply patches when available to all affected applications in your environment. The primary attack surface list in use by FIT Cybersecurity is published by Rumble and can be found here – Finding applications that use Log4J (rumble.run). It is updated daily, if not twice daily, and maintains the most complete list of applications affected by these vulnerabilities.

 

UPDATE — 12/17/21

CVE-2021-44228 & CVE-2021-45046

VMWare is starting to release patches for both vulnerabilities. Please reference this article against your environment to determine what patches are available for your infrastructure: VMSA-2021-0028.3 (vmware.com)

FIT Managed IT clients will be hearing from your engineering team as patches for your environment become available.

FIT Cloud Clients, emergency patches are being applied to your infrastructures this weekend.

Please Note: This is just the first round of patches and not everything has had a patch released yet. We anticipate this process continuing for the next few weeks at least. Depending on your environment, it is very possible you will need several emergency patching windows as more and more patches become available.

 

UPDATE —  12/16/21

We’d like to provide a status update of where we stand with the remediation efforts of the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

CVE-2021-44228

FIT Solutions’ Managed IT clients are 95% patched for on-premise assets that are affected by this vulnerability, and the last 5% are actively being worked on by the engineering team. This vulnerability scope is evolving as new applications and services are identified to be vulnerable. FIT Solutions is actively investigating and monitoring all client infrastructures to identify and address any newly discovered vulnerable systems.

CVE-2021-45046

This new vulnerability that was produced from the remediation of CVE-2021-44228 remains in the monitoring state. A few patches have been released to address this, but a majority of software and solution providers are still working on updated patches to address it. FIT Cybersecurity is actively monitoring the situation and engaging the engineering team as soon as patches become available to implement in client environments.

Updated Recommendation

FIT Cybersecurity is recommending an additional layer of protection that can assist in defending against the Log4j vulnerabilities. If it is possible in the environment, we recommend that Outbound LDAP communications be blocked on the firewall. This will not completely protect your environment from the Log4j vulnerability, but will hamper attempts by bad actors to exploit the vulnerability by utilizing LDAP. FIT Cybersecurity and FIT Solutions will continue to collaborate on monitoring the situation and remediating client environments. If you have any questions or concerns, please do not hesitate to reach out to info@fitsolutions.biz.

 

UPDATE — 12/15/21

A new vulnerability was discovered that impacts all assets affected by the initial Log4j Vulnerability (CVE-2021-44228). This new vulnerability (CVE-2021-45046) is less severe than CVE-2021-44228 coming in with a CVSS score of 3.7 out of 10. Do not let the lower CVSS score fool you, the vulnerability is still something that requires immediate attention.

The initial patch released for Log4j will prevent an attacker from gaining complete control over an affected asset, but that same patch can be abused by attackers resulting in a denial-of-service (DoS) attack on the affected asset. These DoS attacks have the ability to take an affected asset down by flooding the asset with requests at such a volume that the asset cannot handle the load.

Currently, software and solution providers are scrambling to release new patches of their software that address this new vulnerability. Apache, the initial source of both these vulnerabilities, has released a new version of the Log4j logging library that fixes this issue. If you actively use Log4j, please make sure you update your version to 2.16.0 which resolves both vulnerabilities.

Here are some additional resources for more information on the new vulnerability CVE-2021-45046:

Apache’s Fix for Log4Shell Can Lead to DoS Attacks | Threatpost

Second Log4j Vulnerability (CVE-2021-45046) Discovered — New Patch Released (thehackernews.com)

FIT Cybersecurity and FIT Solutions Response

FIT Cybersecurity and FIT Solutions are collaborating actively to patch all FIT Solutions IT clients and advise all cybersecurity clients on next steps. As more patches become available, FIT Solutions will reach out to IT clients for emergency patching windows. It is important to note, about 90% of affected assets from FIT Managed IT clients have been patched with the initial patch or a workaround has been implemented. The remaining 10% are actively being worked on to complete patching of the initial CVE-2021-44228.

 

UPDATE — 12/14/21

Only about 30% of the software vendors impacted have released patches thus far. We urge decision-makers to approve emergency patching all week if possible as updates come out during the week. Though patching updates can be disruptive to work, the interruption would be far less than that caused by a breach. Our cybersecurity team built custom monitoring alerts to increase threat hunting while we wait for patches to be released. Our team is also trained on emergency response actions to stop the exploit from being leveraged. We are working with all our clients to strategically make plans to minimize risk to their businesses. For users of FIT Cloud, we have applied the work-around fixes to VMware while a patch is being developed to protect the Cloud infrastructure.

 

INITIAL 12/13/21

Late last week, two vulnerabilities came to light that have made large waves in the cybersecurity space. We wanted to make sure you are informed of these new and potentially dangerous vulnerabilities. FIT Solutions stands ready to assist in any way we can as we go through the remediation of these new vulnerabilities. Please do not hesitate to reach out to support@fitsolutions.biz with any questions or concerns you may have.

 

Apache Log4j Logging Library Vulnerability | CVE-2021-44228 | CVSS 10.0

The Apache Log4j vulnerability was released late on Friday, December 10, and has a large attack surface with potentially dangerous effects. This vulnerability allows attackers to gain complete control of affected systems. The Log4j logging library is widely used and can be found in different services from Apple, Twitter, Steam, Tesla, Elastic Search, and more. Ranking as a CVSS 10.0 out of 10, this vulnerability poses a significant threat to those that utilize or interact with the Apache Log4j Logging Library, and it is already being exploited in the wild.

This is a high criticality vulnerability and deserves your immediate attention. Recommended remediation is to immediately upgrade any direct use of the Log4j library to log4j-2.15.0.rc2. Log4j is also utilized in several tools for logging, monitoring, alerting, and dashboard solutions. This means the issue may not be that you are directly using the library, but your tools are, which would also leave you vulnerable. In these instances, update your tools to the latest version and monitor their publishers’ releases to ensure you update to the release meant to fix CVE-2021-44228.

Log4j is also a dependency in large number of applications for business and personal use. In these circumstances, we must wait for the application provider to update the Log4j library. With the intense scrutiny and attention this vulnerability has received, we anticipate patching within the next couple days if the issue has not been patched already.

If you are not sure if you or one of the tools you utilize use Log4j, Huntress has come out with a utility to check if you are vulnerable – Huntress – Log4Shell Tester

Here are some additional resources for CVE-2021-44228:

Critical RCE Vulnerability: log4j – CVE-2021-44228 (huntress.com)

Security warning: New zero-day in the Log4j Java library is already being exploited | ZDNet

NVD – CVE-2021-44228 (nist.gov)

 

SMA-3217 – SMA100 Unauthenticated Stack-based Buffer Overflow| CVE-2021-20038 | CVSS 9.8

The Unauthenticated Stack-based Buffer Overflow vulnerability is significant but in much smaller scope than the Log4j vulnerability. Affecting SMA 100 series appliances, this vulnerability can allow an unauthenticated attacker to execute commands as the nobody user, giving complete control of the device to the attacker.

Currently, there are no reports of this vulnerability being exploited in the wild, but it still warrants patching if you utilize any of these appliances. A patch has already been deployed by SonicWall and is readily available to all organizations that utilize these appliances. Our remediation recommendation is to immediately apply this patch to all affected SMA appliances.

Here are some more resources for CVE-2021-20038:

Security Advisory (sonicwall.com)

NVD – CVE-2021-20038 (nist.gov)

Patch Now: Sonicwall Fixes Multiple Vulnerabilities in SMA 100 Devices | Rapid7 Blog

FIT Cybersecurity & FIT Solutions Response

FIT Cybersecurity already has monitoring deployed to watch for Log4j exploitation attempts and is closely monitoring all logs for evidence of these attempts on our clients. We are collaborating with the engineering teams for FIT Solutions customers to ensure any available patches are applied to your environment immediately.

We are ready to assist and answer any questions you may have concerning these vulnerabilities.

PRESS RELEASE: SOCBOX Changes Its Name to FIT Cybersecurity in Major Rebrand

Network Security Provider Joins Sister Company FIT Solutions

San Diego, California, November 30, 2021 – SOCBOX has announced its name change to FIT Cybersecurity, joining its sister company FIT Solutions in a major rebrand. Founded in 2012 by CEO Ephraim Ebstein, the company is approaching its ten-year anniversary of helping organizations achieve their business goals through technology. FIT, which stands for Freedom Information Technologies, serves as an acronym uniting both brands under the same leadership and core values. Though the companies will remain separate entities along with their technical teams, Ebstein’s goal was to provide a more streamlined experience for clients and partners.

FIT Cybersecurity prides itself on providing quality solutions to critical industries such as legal, financial, education, healthcare and manufacturing. Ebstein shared the fundamental principles of the business: “FIT Solutions was created because of our desire to impact as many lives as possible for the better. This meant two things: creating opportunities for the team we care for dearly, and solving business problems for our clients to help those organizations achieve their objectives,” he said. “FIT Solutions looks to work with organizations that also have big goals so that together, we can help extend the reach to help as many people as possible.”

Unlike many of its competitors, FIT Cybersecurity offers an around-the-clock team of expert analysts, a human element that differentiates the company from others in the marketplace. “Most offerings on the market are proprietary tools that send alerts when incidents or suspicious activity are detected. Addressing such alerts still requires a human on your team to investigate and decide whether further action is necessary. Many organizations try to handle this in-house, but quickly realize that a single employee, even full-time, cannot properly monitor and manage the security tools because of 24/7 limitations,” Ebstein said. “We take care of that for you by acting as your 24/7 cybersecurity team, monitoring and managing whatever tools and systems you have in place for a fraction of the fully-burdened resources needed to handle it in-house. We investigate any activity or alerts, and take the appropriate action to deal with any security incident.”

FIT specializes in serving long-term healthcare facilities and law firms, both of which need solid IT and cybersecurity strategies. As Ebstein stated, “Technology and Cybersecurity are like the ‘tires and brakes’ of an organization. It is critical that they work well, especially the faster the organization moves. Those two services will determine whether an organization will be able to achieve its goals.”

However, the disparate branding had caused confusion for prospective partners, which Ebstein hopes to alleviate with the rebrand. “Our IT and cybersecurity offerings are very different and are operated by different technical teams. Despite that, our core values and the philosophy and processes used to deliver results are the same,” he said. When asked which businesses should consider FIT Solutions as their service provider of choice, he answered, “Businesses that are focused on growth, that are tired of having IT and cybersecurity issues and want the best value for their investment. Organizations that are focused on securing their assets and utilizing technology to allow them to scale successfully should have a conversation with us.”

Ebstein urges potential clients to research FIT Solutions to learn more. “The best way to see what it’s like to be a FIT partner is to look at our Google reviews. Two of our core values are ‘Raving Fan Culture’ (based on a book by Ken Blanchard) and ‘Results-Driven.’ This means it is in our DNA to overdeliver and, even when mistakes happen, to deliver results,” he said.

 

About FIT Cybersecurity: Formerly known as SOCBOX, FIT Cybersecurity is a subsidiary of FIT Solutions, offering a team of world-class cybersecurity experts dedicated to helping clients protect their valuable assets. In doing so, they combine a state-of-the-art Security Operations Center (SOC) with the best cybersecurity tools and managed security services available. FIT Cybersecurity becomes an organization’s cybersecurity team, monitoring the environment 24/7 to detect and prevent cyberthreats. Learn more here.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!