HCL SW Blogs
HCL SW Blogs
Select Page
HCLSoftware, Secure DevOps
  |  April 4, 2022

SpringShell Vulnerability Detected

Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
profile image
Cody Travis Co-Author
Application Security Technical Advisor
SpringShell Vulnerability Detected

Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

CVE-2022-22965 also known as Spring4Shell or SpringShell

Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.

 

CVE-2022-22965 found in a spring-core jar file

Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.

 

Open-Source Report containing specific vulnerability findings

 

Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.

 

Comment wrap
Rob Cuddy
Rob Cuddy
Global Application Security Evangelist
Rob is currently a Global Application Security Evangelist for HCL providing thought leadership for the application security space, particularly as it relates to DevOps and DevSecOps initiatives. Prior to this role, Rob was with IBM for 14 years with roles in Application Security Evangelism, Worldwide Sales Enablement, Tiger Teams and Field Services for the Management and Platform Segment offerings in IBM Cloud. Rob has worked with clients all over the world to help address their challenges in ways that bring a positive impact to the business bottom line. Rob has spoken at numerous events and conferences, including Evanta CISO Summits, THINK, InterConnect, DevloperConnect, IBM Top Guns and many customer events. Prior to IBM, Rob spent 13 years with 5 different companies working as a configuration management specialist with an emphasis on Rational tooling. Rob graduated from the University of Southern California with a degree in Aerospace Engineering and is an avid fan of college football. When not at work, Rob enjoys spending time with his family, serving with his church, running and cycling. You can connect with Rob through the Application Paranoid podcast, via LinkedIn, Facebook and Instagram but the best way is by joining the “Robservatory” on twitter using the handle @Robservatory.
Read more
Cody Travis
Cody TravisCo-Author
Application Security Technical Advisor
Cody is currently an Application Security Technical Advisor for HCL providing industry best practices to clients around the world regarding application security in the SDLC. Cody has previously worked at IBM on the North America AppScan technical team working in a presales and consulting role. Cody has over 10 years experience with a background in network and application penetration testing as well as working with enterprise application security tools. Cody graduated from the University of Memphis with a degree in Computer Science and enjoys hacking, gaming, travel, and spending time with friends and family. The best way to reach Cody is through LinkedIn.
Read more

Topics in this article:

AppScanAppScan on Cloud

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


Further Reading
appscan
appscan
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Secure DevOps | April 6, 2023
HCL AppScan Standard Reinvents the Configuration UI in Version 10.2.0
Chek out what's new with AppScan Standard, a DAST (Dynamic Application Security Testing) tool designed for security experts and pen-testers that automatically crawls target applications and APIs and tests them for vulnerabilities.
Adam Cave
Adam Cave
Product Marketing Manager, HCL AppScan
appscan
appscan
OWASP Global AppSec Dublin 2023
Secure DevOps | March 13, 2023
What you missed at OWASP Global AppSec Dublin 2023
See what you missed at OWASP Global AppSec Dublin 2023. HCLSoftware has the scoop.
Courtney Coleman
Courtney Coleman
appscan
appscan
Lunch n Learn
Secure DevOps | March 7, 2023
What You’ll Learn at AppScan’s March Lunch “N” Learn
Join us on March 14th, 2023 to talk with our experts as they give an overview of some our newest features.  
Courtney Coleman
Courtney Coleman
Close
Filters result by
Sort:
|
ProductsRESET