Microsoft has weighed in on Spring4Shell, a recently discovered flaw in the Spring Framework for Java.
Microsoft is telling customers of its Azure cloud service to patch the recently disclosed bug, a critical-rated remote code execution (RCE) vulnerability that’s been tagged as CVE-2022-22965 and dubbed SpringShell or Spring4Shell — a twist on the dire Log4Shell bug affecting another Java-based application logging utility.
While there was initial debate about how serious the bug is, sleuthing by security researchers in the days afterwards after the flaw was discovered revealed that Spring4Shell was indeed a serious bug that warranted attention.
The US Cybersecurity and Infrastructure Security Agency (CISA) on April 1 urged all US organizations, including federal agencies, to patch it immediately. On April 4, CISA added the bug to its catalog of known exploited vulnerabilities, which requires federal agencies to patch it within a deadline.
The Spring Framework is “the most widely used lightweight open-source framework for Java,” Microsoft notes. The bug resides in the Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.
“In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met,” Microsoft’s Defender threat intelligence team reports.
Other conditions required for exploitation include that Apache Tomcat serves as the Servlet container, that the app is packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance. However, Spring Boot is most commonly deployed as an embedded Servlet container or reactive web server, which are are not impacted.
“Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable,” Microsoft notes.
Microsoft notes that the only working exploit, a proof of concept, can only be used remotely on a Tomcat server via its logging module using certain commands. An attacker can change default access logs to whatever file they want by issuing requests to it over the web. An attacker can then change the contents of a web server or application.
Just like Log4Shell, Spring4Shell’s impact is felt through its inclusion in other products. Hypervisor firm VMware, for example, warned it affected its Tanzu services for virtual machines and container software.
“The current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules,” Microsoft assesses.
“An accessor was added to the Class object, called getModule(). The Module object contains a getClassLoader() accessor. Since the CVE-2010-1622 fix only prevented mapping the getClassLoader() accessor of Class objects, Spring mapped the getClassLoader() accessor of the Module object. Once again, one could reference the class loader from Spring via the class.module.classLoader parameter name prefix.”
Security teams interested in researching the subject can refer to this user post on GitHub. The team behind Spring has also explained the patch and vulnerability here.