A new vulnerability, dubbed SpringShell in Spring Framework, was recently discovered.

SpringShell was given a CVE ID of CVE-2022-22965, and results in Remote Code Execution (RCE) upon successful exploitation, compromising the web server and putting it under the attacker’s control. It affects Spring Framework versions 5.3.17/5.2.19 and lower (it was patched in versions 5.3.18/5.2.20).

AppScan users can detect this vulnerability both via AppScan’s SCA offering, and with the latest version of AppScan’s DAST engine.

Exploitation Prerequisites

While the issue itself is with Spring Framework, successfully exploiting it requires several additional prerequisites:

  • Application deployed as an Apache Tomcat servlet, packaged as a WAR executable
  • Running on JDK 9 or later
  • Dependency on spring-webmvc or spring-webflux

Root Cause Analysis

Spring Framework is an application framework that is widely used for development of web applications. Among its many features is data binding, that greatly simplifies a developer’s workflow when dealing with request handlers. Whereas with regular request handlers a developer must parse information from request parameters, Spring’s data binding feature automatically binds request parameter values to corresponding arguments in the request handler’s code, based on their names. This greatly simplifies the code and makes it more readable.

However, this data binding feature happens to have a bug. The implementation code unintentionally exposes a sensitive property named class (that points to the class of the object being bound), that can be abused to bind the request parameter values to fields of arbitrary objects in memory. It’s a kind of a high-level write-what-where primitive in Java. And while that does not enable code execution immediately, using this vulnerability to modify some carefully selected fields results in arbitrary code execution.

Exploitation via Tomcat Logging

The exploit abuses Apache Tomcat’s logging facilities, namely, an instance of the AccessLogValve class. There are multiple fields in that class that define Tomcat’s logging behavior, and the following fields are of interest:

 

  • prefix – the prefix that is added to log file filenames
  • suffix – the suffix that is added to log file filenames
  • pattern – the pattern used to format our access log lines
  • directory – the directory in which we create log files
  • fileDateFormat – date format to place in log file name

By changing those fields using the write-what-where primitive, it is possible to achieve arbitrary code execution on the server:

 

  1. Update the directory field to cause Tomcat to create the log files in a web application directory accessible via the web (such as Tomcat’s default webroot folder)
  2. Update the prefix and suffix fields to effectively set the log’s filename to something with a .jsp extension
  3. Set the fileDateFormat field to empty, so that prefix and suffix define the actual filename
  4. Set the pattern field to contain malicious JSP code that performs code execution

Once the above steps are complete, the attacker must wait for Tomcat to log something (or trigger a logging event by accessing a page on the website), and the malicious JSP file will be created and ready for access.

Mitigation

Although the above exploitation technique depends on multiple prerequisites, it is possible that new methods will be found, that will work in broader cases. Therefore, the proper fix to the problem is to update the Spring Framework used to a patched version (either 5.3.18 or 5.2.20, depending on whether Spring Framework 5.3.or 5.2 is used).

Comment wrap
Further Reading
article-img
Secure DevOps | June 24, 2022
Automatic Issue Correlation Now Part of HCL AppScan
There is no silver bullet that can solve the application security challenge. Each of the core technologies (IAST, DAST, and SAST) has strengths and weaknesses.Auto Issue Correlation allows us to leverage the strengths of each technology, while overcoming weaknesses with the advantages of the others. Furthermore, Auto Issue Correlation enhances your AST capabilities, improves your prioritization process and reduces remediation time and effort.
article-img
Secure DevOps | June 6, 2022
Guide To Reliable Application Security Testing Software
Looking for a secure solution for fast, accurate, and agile application security testing? You can come across reliable market-leading web application security testing facilities that quickly detect system vulnerabilities. Read the blog to know more.
article-img
Secure DevOps | April 28, 2022
Latest Version of AppScan Standard Now Available
AppScan standard has been a market-leading DAST solution for the last 20 years with evolving capabilities throughout the years.
Close
Filters result by
Sort:
|