spring4shell
Operational information regarding the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Core Framework.
- NCSC-NL advisory
- Spring.io announcement of vulnerability
- CISA advisory & CISA known exploited vulnerabilities
- CERT Bund advisory
Repository contents
- README.md: contains general information and detection and mitigation measures
- software/README.md: contains a list of known vulnerable and not vulnerable software.
- services/README.md: contains a list of known vulnerable and not vulnerable services.
NCSC-NL has published a HIGH/HIGH advisory for the Spring4shell vulnerability. Normally we would update a HIGH/HIGH advisory for vulnerable software packages, however due to the expected number of updates we have created a list of known vulnerable software in the software directory.
Mitigation measures
Determine if the Spring Core Framework is used in your network. Ensure that deployments of the Spring Core Framework are running a version equal to or greater than 5.3.18 or 5.2.20. Scanning tools are available to help find vulnerable software (Linux and Windows). You can find them below in the section "Detection". Note: the results of these tools do not guarantee that you do not have vulnerable systems. The requirements for the specific vulnerable scenario in the report published by Spring are as follows:
- Running on JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
- spring-webmvc or spring-webflux dependency.
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
Ask your suppliers if they use Spring Core Framework in their applications. Check for critical systems if your vendor has published a patch and deploy this as soon as possible.
If updating is not possible in the short term, check the original Spring.io advisory for possible workarounds. If you are unable to apply these workarounds, we advise to consider shutting down the system until a patch becomes available.
This GitHub page contains a list which is kept up-to-date by NCSC-NL. It can provide you with information about which vendors have published a patch. However, we advise you to monitor information provided by your software vendors as well.
- Check your logs, vulnerable systems and systems that have already been patched for signs of compromise.
- Monitor future updates on Spring4Shell.
Mitigation by vendors
Detection
This table contains an overview of local and remote scanning tools regarding the Spring4shell vulnerability and helps to find vulnerable software.
NCSC-NL has not verified the scanning tools listed below and therefore cannot guarantee the validity of said tools. However NCSC-NL strives to provide scanning tools from reliable sources.
The following IPs were observed as scanning IPs for this vulnerability:
| Note | Links |
|---|---|
| GreyNoise | Scanning IPs |
The following hashes were observed:
| Note | Links |
|---|---|
| Nextron-systems | Spring-core-rce-attempt |
| Nextron-systems | Spring-core-after-exploitation |
The following detection rules are available:
| Note | Links |
|---|---|
| Yara rules - Neo23x0 | https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar |
| Splunk queries - West-wind | https://github.com/west-wind/Spring4Shell-Detection |
| ET Suricata rules (EXPLOIT Possible SpringCore RCE/Spring4Shell) | https://rules.emergingthreats.net/open/suricata-5.0/rules/emerging-exploit.rules |
| Cisco SNORT (SID 30790-30793, 59388, and 59416) | https://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html |
Contributions welcome
If you have any additional information to share relevant to the Spring4shell vulnerability, please feel free to open a Pull request. New to this? Read how to contribute in GitHub's documentation.