A new vulnerability was found in the Spring Core Java framework, which is a popular application framework for developing Java applications with enterprise-focused features. This vulnerability has no CVE yet, although it is confused with the Spring Cloud Function vulnerability that appeared on the 29th of March, which can be tracked as CVE-2022-22963. Another Spring vulnerability of this week, CVE-2022-22950, is also a medium-severity one. Those two are patched immediately and they are not related to the current, Spring4Shell flaw that allows remote code execution.
Leaked into Chinese platforms
As the new vulnerability appears, the proof-of-concept exploits have been leaked to the public via QQ, the Chinese social communication platform, and a Chinese cybersecurity site. The leaked proof-of-concept allows unauthenticated remote code execution to the attackers, and it was deleted after little time. In that little period, some security researchers around the world managed to download the PoC code. And they state that the PoC is indeed working; allowing unauthenticated remote code execution.
A Java Springcore RCE 0day exploit has been leaked. It was leaked by a Chinese security researcher who, since sharing and/or leaking it, has deleted their Twitter account.
We have not verified the exploit.
tl;dr big if true
Download the 0day POC here: https://t.co/SgPCdI00TS
— vx-underground (@vxunderground) March 30, 2022
The Spring4Shell vulnerability is caused by unsafe deserialization of passed arguments. It does not affect the out-of-box configurations; it relies on some specific configurations for exploitation. The flaw affects functions that use RequestMapping annotation and POJO parameters. It requires an endpoint with DataBinder enabled and depends heavily on the servlet container for the application.
Some of the security companies confirm that all of the Spring framework versions from at least 4.3.0 through 5.3.15 (released on 13 January 2022) are affected by this bug. Currently, there is no patch for the vulnerability. Some security researchers state that it is possible to mitigate the issue by profiling affected Spring-based applications on web application firewall solutions. On the other hand, Praetorian suggests using the ControllerAdvice feature of DataBinder to disallow dangerous patterns to the denylist. They provided an example snippet as well, which can be found below:
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}