Recently the news broke that a critical vulnerability of the zero day type was detected in the module Spring Core shipped as part of the Spring Framework, which allows a remote, unauthenticated attacker to execute their code on the server.
By some estimates, the Spring Core module used in 74% of Java applications. The danger of vulnerability is reduced by the fact that only applications that use the "@RequestMapping" annotation toBy hooking up request handlers and using web form parameter binding in the “name=value” (POJO, Plain Old Java Object) format, rather than JSON/XML, they are susceptible to attack. It is not yet clear which Java applications and frameworks are affected by the issue.
This vulnerability, named "Spring4Shell", takes advantage of class injection leading to a full RCE and is very serious. The name "Spring4Shell" was chosen because Spring Core is a ubiquitous library, similar to log4j that spawned the infamous Log4Shell vulnerability.
We believe that users running JDK version 9 and later are vulnerable to an RCE attack. All versions of Spring Core are affected.
There are strategies to mitigate the attack and we believe that not all Spring servers are necessarily vulnerable, depending on other factors discussed below. That said, we currently recommend that all users apply mitigations or upgrade if they are using Spring Core.
Exploitation of the vulnerability is only possible when using Java/JDK 9 or a newer version. The vulnerability blocks the blacklisting of the fields "class", "module", and "classLoader" or the use of an explicit whitelist of allowed fields.
The problem is due to the ability to bypass protection against the CVE-2010-1622 vulnerability, Fixed in the Spring Framework in 2010 and associated with the execution of the classLoader handler when parsing request parameters.
The operation of the exploit is reduced to sending a request cwith the parameters "class.module.classLoader.resources.context.parent.pipeline.first.*", the processing of which, when using "WebappClassLoaderBase", leads to a call to the AccessLogValve class.
The specified class allows you to configure the logger to create an arbitrary jsp file in the root environment of Apache Tomcat and write the code specified by the attacker to this file. The created file is available for direct requests and can be used as a web shell. To attack a vulnerable application in the Apache Tomcat environment, it is enough to send a request with certain parameters using the curl utility.
The problem under consideration in Spring Core not to be confused with newly identified vulnerabilities CVE-2022-22963 and CVE-2022-22950. The first issue affects the Spring Cloud package and also allows remote code execution (exploit) to be achieved. CVE-2022-22963 is fixed in Spring Cloud 3.1.7 and 3.2.3 releases.
The second issue CVE-2022-22950 is present in Spring Expression, can be used to launch DoS attacks, and is fixed in Spring Framework 5.3.17. These are fundamentally different vulnerabilities. The Spring Framework developers have not yet made any statement about the new vulnerability and have not released a fix.
As a temporary protection measure, it is recommended that you use a blacklist of invalid query parameters in your code.
Still it is not clear how catastrophic the consequences can be of the identified issue and whether the attacks will be as massive as in the case of the vulnerability in Log4j 2. The vulnerability has been codenamed Spring4Shell, CVE-2022-22965, and updates Spring Framework 5.3.18 and 5.2.20 have been released to address vulnerability.
A patch is now available as of March 31, 2022 in the latest released Spring versions 5.3.18 and 5.2.20. We recommend all users to upgrade. For those unable to upgrade, the following mitigations are possible:
Based on Praetorian's post confirming the presence of an RCE in Spring Core, the currently recommended approach is to patch DataBinder by adding a blacklist of vulnerable field patterns needed for exploitation.
Finally yes you are interested in knowing more about it about the note, you can check the details In the following link.