"Spring4Shell" is a newly uncovered remote code execution (RCE) zero-day vulnerability in the Spring Framework that is being compared by some to Log4Shell in its severity. Dubbed "Spring4Shell" or "SpringShell", this vulnerability works in a similar way to CVE-2010-1622 but bypasses measures implemented to protect against that vulnerability. It affects any application built on the Spring Core logging element, and anyone using software built on Spring, which is a widely popular framework comparable in its scale to Apache Struts.
AppCheck Detection of Spring4Shell (CVE-2022-22965)
An emergency detection was deployed to the AppCheck vulnerability scan platform on Thursday 31st March to detect this flaw using a passive (non-intrusive) method of detection to confirm if a web application is vulnerable, by sending a crafted but non-harmful HTTP Request.
AppCheck are closely monitoring various sources for further developments relating to Spring4Shell, and updating AppCheck platform capabilities as the situation unfolds.
Current Detection Methods & Detection Support
AppCheck makes use of two detection methods currently relating to this vulnerability, when scanning from our public (cloud) scan hub platform:
- Sending a crafted HTTP GET Request and analysing the response from the Web Application.
- Sending a crafted HTTP Post Request and analysing the response from the Web Application.
Any existing scans will be updated to have this detection plugin enabled by default.
What else should customers do?
Whilst AppCheck strongly recommend all customers scan their web applications if they suspect them to be vulnerable it is recommended that all customers conduct their own checks as the true impact and scale of this vulnerability is yet to be understood due to the evolving nature of the disclosure and the wide range of vendors affected.
We also recommend reading up on the following article:
Relation to other Vulnerabilities
Spring4Shell bypasses a previously known vulnerability tracked as CVE-2010-1622.
There have been some instances observed of Spring4Shell being with conflated with or mistake for another, separate vulnerability (CVE-2022-22963), which affects the Spring Cloud Function which is not a part of the Spring Framework. Spring has since released updates to fix CVE-2022-22963 but it is completely unrelated to the Spring4Shell 0-Day RCE.
This post will updated as necessary as further details are uncovered or released.
31/03/2022 14:38 BST - Spring have now published an article regarding this vulnerability and have released security updates: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement