A concerning security vulnerability has been discovered in the Spring Cloud Java Framework, which may lead to RCE or result in the compromise of an entire internet-connected host.
The Spring4Shell vulnerability
The Spring Cloud function vulnerability is being tracked as CVE-2022-22963 and dubbed Spring4 Shell. Subsequent to its disclosure, an exploit for this zero-day vulnerability was briefly leaked online. Additionally, information regarding another critical Spring Core RCE vulnerability was found to be circulating on a Chinese cybersecurity site and QQ chat service.
Initially, it was thought to be affecting all Spring apps running on Java 9 or higher.
Later, it was found that certain additional requirements must be fulfilled for the Spring app to be vulnerable.
The exploitation needed an endpoint with DataBinder enabled and depends on the servlet container for the application.
An exploitation scenario
When Spring is deployed to Apache Tomcat, the WebAppClassLoader becomes accessible, allowing an attacker to call getters and setters to eventually write a malicious JSP file to disk.
In some configurations, the exploitation of this issue is simple and only requires an attacker to send a crafted POST request to a vulnerable system.
However, exploitation of different configurations requires the attacker to find payloads that will be effective.
Conclusion
The Spring4Shell vulnerability has the potential to become the next infamous Log4Shell flaw, opine researchers. A way to partially stop Spring4Shell attacks is to disallow certain patterns to be passed to the Spring Core DataBinder functionality.