Threat Watch

Java Spring Core Framework RCE Vulnerability

The Spring Framework (Spring) is an open-source application framework that allows for infrastructure support for Java applications. Of the more popular Java Enterprise Edition (Java EE) frameworks, Spring helps developers build performant applications utilizing Java objects. On the morning of Tuesday, March 29th, 2022, a research member of KnownSec displayed an example of Remote Code Execution (RCE) against the Spring framework, but the original post was removed thereafter. Since then, industry researchers have closely examined these unconfirmed claims.

Researchers at LunaSec have postulated that that the vulnerable code lies within Spring’s “CacheResultInterceptor” class, which requires that a vulnerable method be marked with the “@-CacheResult” annotation. They went on to say that “‘The vulnerable code’ in Spring is creating a ‘deep clone’ of an object by serializing and then deserializing it. In Java, any attempts to deserialize an object can result in RCE if an attacker is able to control the data being passed.” The vulnerability exists in the Spring core with the JDK version >= to 9.0. LunaSec has provided an example vulnerable application using Spring Boot, calling for the information security community to share Proof of Concept (POC) exploits against their vulnerable application to better understand the potential impact.

Because the vulnerability is so recently discovered, no CVE has been assigned. Investigators of the vulnerability have been quick to liken this vulnerability to the recent Log4Shell vulnerability, a vulnerability with wide impact in relation to Apache Jog4j2.

However, a vulnerability in Spring Cloud (SPEL) has been confirmed, with the Spring team publishing a CVE for the vulnerability in this portion of their product, CVE-2022-22963: Spring Expression Resource Access Vulnerability. The Spring team has released Spring Cloud Function 3.1.7 & 3.2.3 to patch the Spring Expression Resource Access Vulnerability. It is advised to apply this patch as soon as possible if using Spring Cloud.

ANALYST NOTES

– On servers housing the Spring framework, users may run the ‘java-version’ command to check the currently installed version. If the version number is <= 8, the vulnerability is not present.
– In order to identify if the Spring framework is in use, users may run the following command on Linux systems: find -type f -iname 'spring-beans-*.jar'
– If 'spring-beans-*.jar' does not exist, another file may exist that indicates Spring framework usage. Search for the existence of the related class file using the following commands on linux systems: find /path/to/decompression/directory -type f -iname 'CachedIntrospectionResults.class'

If the environment runs Java independently using jar packages, users may unzip the jar file and then change into the unzipped directory and run the above commands to find related Spring objects.

There are no current patches for this vulnerability at this time. In this case, it is recommended to use the following solutions for temporary protection of the environment until the patch has been released.

– Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add {"class.*","Class.* to the original blacklist ","*.class.*", "*.Class.*"}. (Note: If this code snippet is used a lot, it needs to be appended everywhere)

– Create the following global class under the project package of the application system and ensure that this class is loaded by Spring (it is recommended to add it in the package where the Controller is located). After the class is added, the project needs to be recompiled and packaged, and tested for functional verification. Then republish the project.

import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
@ControllerAdvice
@Order(10000)
public class GlobalControllerAdvice{
@InitBinder
public void setAllowedFields(webdataBinder dataBinder){
String[]abd=new string[]{"class.*","Class.*","*.class.*","*.Class.*"};
dataBinder.setDisallowedFields(abd);
}
}

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

https://github.com/lunasec-io/spring-rce-vulnerable-app

https://bugalert.org/content/notices/2022-03-29-spring.html