New Spring4Shell vulnerability: CVE-2022-22963 and CVE-2022-22965

Spring4Shell – a new zero-day vulnerability which affects Spring users

It’s the second critical bug that has been identified on the application within a week. Spring is a widely used application framework and inversion of control container for the Java platform. Its core features can be used by any Java application which means a large number of users may have been affected by the new Spring4Shell vulnerability. 

The CVE-2022-22963 vulnerability 

Spring’s user pool is so immense that simply citing a “bug” doesn’t reveal the true nature of the problem. Therefore, the main security vulnerability has been named CVE-2022-22963. The vulnerability is a SpEL expression injection bug contained within the Spring Cloud Function, revealed on March 28th by NSFOCUS. 

The CVE-2022-22963 vulnerability is evident in Spring Cloud Function versions 3.1.6, 3.2.2 and older. When using the routing functionality, a user can provide a specially crafted SpEL as a routing expression that may result in remote code execution and access to local resources. 

The severity of the CVE-2022-22963 vulnerability has been classified as critical. Users of affected versions should immediately upgrade to 3.1.7 and 3.2.3. No other steps are deemed necessary at this stage. 

The second Spring bug – CVE-2022-22965

A second remote code execution (RCE) bug, named Spring4Shell vulnerability/Springshell or CVE-2022-22965, was also discovered in Spring Framework’s Java-based Core module. While the exploit code’s commit has been erased, it may have come too late. It’s important to note here that the Spring Framework is different to the Spring Cloud Function. 

Cybersecurity experts state that once the CVE-2022-22965 code had been translated it appeared to show how unauthenticated attackers could trigger RCE on target systems. Spring.io itself confirmed the existence of the zero-day vulnerability.  

Working through the Springshell problem 

The RCE bug stems from functions using POJO parameters and @RequestMapping annotation. Hackers can exploit the vulnerability to drop a payload and execute commands. So far, the issue appears to only be limited to Tomcat server builds.  

Spring conducted a thorough investigation, analysis, and different ways of identifying a fix and testing, while aiming for emergency releases on March 30th. It is also working on full releases and the all-important CVE report. 

Repairing the Springshell damage 

Spring states that if you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary. It says that downgrading to Java 8 provides a viable workaround, which may be the quickest and simplest thing to do as a tactical solution until you can upgrade to a supported Spring Framework version. 

For older, unsupported Spring Framework versions, the advice is to upgrade to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 which protects against the reported attack vector.  

Limit the impact  

On top of everything mentioned above, it’s important to ensure that your organisation limits the impact of all possible vulnerabilities. Let’s look at how: 

  • Manage your assets 

Not every instance of a zero-day vulnerability is likely to affect your organisation. Ongoing asset inventory and vulnerability assessments are key and uninstalling any software that is no longer needed will be helpful. Also, disable features that are no longer necessary.  

  • Break the chain 

Continuously monitoring the network helps break the attack chain. Threat hunting should also be used to search systems for vulnerabilities. This should help prevent attackers that use zero-day vulnerabilities from gaining entry and residing within a network.  

  • Patch 

Patching after a zero-day has impacted your company’s network may not stop that attack but can still be used to verify that all available fixes have been applied.  

  • Stay informed 

Security teams must keep on top of the news, look out for any major breaches or attacks, and stay informed. It’s also important to educate staff on cybersecurity basics and formulate a reporting process to highlight anything that looks suspicious.  

The solution to security vulnerabilities 

RiskXchange can help organisations of any size tackle vulnerabilities like Spring4Shell/Springshell and CVE-2022-22963. We can identify vulnerabilities on any internet-facing system or network. We also advise on why patches should be applied and what the risks are when not patching against specific vulnerabilities.  

“Keeping open-source software fully patched can be a challenging problem. That is why RiskXchange is on hand to ensure that you are kept fully aware of any issues like this critical vulnerability before they have a chance to have a negative impact on your systems.” 

RiskXchange CEO, Darren Craig

RiskXchange conducts a wide range of security assessments to help improve your cybersecurity risk. We deliver an all-encompassing, 360-degree view of any organisation’s cybersecurity posture

Get in touch with RiskXchange to find out more about how to tackle security issues like Springshell vulnerability.