What Causes the SpringShell Vulnerability?

The SpringShell vulnerability lies in the Spring Framework “data binding” mechanism. This mechanism takes parameters from the request URL or request body, and assigns them to function arguments or in some cases into Java objects.

Why is SpringShell So Dangerous?

The Spring Framework is an extremely popular framework for building web applications, and the SpringShell vulnerability lies in the heart of this framework, meaning many web applications that are built using the Spring Framework will be susceptible to this issue.

How is SpringShell Being Exploited Currently?

There are many ways to exploit the modification of ClassLoader in order to obtain remote code execution, but the original published PoC exploit chose to exploit this security vulnerability with a Tomcat-specific technique - abusing the AccessLogValve to obtain arbitrary file overwrite.

When Exactly is the SpringShell Vulnerability Exploitable?

At a high-level, your web application may be vulnerable if: Your web application is built on the Spring Framework (for example, using Spring Boot). Your web application is running on JDK 9 or any later version. Your web application uses data binding to bind request parameters to a Java object.

How Can I Test For the SpringShell Issue?

For testing of live endpoints, other than running one of the PoC exploits available, the Randori Attack Team published a simple test using curl

How Can I Completely Fix the SpringShell Vulnerability?

The best way to fix SpringShell is to upgrade Spring Framework to version 5.2.20 or 5.3.18. If you are using Spring Boot directly - upgrade to version 2.6.6

Can I Mitigate the SpringShell Issue Without Upgrading?

The best course of action is to upgrade Spring Framework (as shown in the last section). If upgrading is currently not possible, the official Spring blog suggests modifying your application code and adding a @ControllerAdvice that blocks assignments to some of the ClassLoader internal fields

Is the JFrog platform Vulnerable to SpringShell?

After conducting an internal research, we can confirm that the JFrog platform is not vulnerable to SpringShell (CVE-2022-22965) or the recent RCE vulnerability in Spring Cloud Function (CVE-2022-22963).

Is SpringShell Related to CVE-2022-22963 or CVE-2022-22950?

Unfortunately, two other Spring CVEs were released at the same time as SpringShell (CVE-2022-22965) which caused a lot of confusion. These two additional CVEs are not related to SpringShell, and each of them should be handled separately from SpringShell.

How Can I Use JFrog Xray to Detect the SpringShell Vulnerability?

JFrog Artifactory and JFrog Xray can detect artifacts vulnerable to the SpringShell vulnerability, for any supported artifact type, and is augmented with detailed research data and mitigations. Stay tuned for an in-depth blog post showing how to pinpoint and resolve SpringShell-affected artifacts.

SpringShell Archives

Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

April 01, 2022

A new zero-day exploit in the spring-web package called “SpringShell” (nicknamed “Spring4Shell”) was just leaked and is threatening the internet and the community. The JFrog security research team is investigating the exploit and continuously updating our blog post with technical details on the SpringShell (Spring4Shell) vulnerability. In this technical blog post, we explain how you …

SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know

March 31, 2022

On March 29th, the cyberkendra security blog posted a sensational post about a Log4Shell-equivalent remote code execution (RCE) zero-day vulnerability in Spring Framework, but without any solid details about the vulnerability itself. The security vulnerability was nicknamed “SpringShell” (or “Spring4Shell”) , due to its alleged significance likening the infamous “Log4Shell.” A day later, on March …

Your SpringShell (Spring4Shell) Remediation Cookbook Using the JFrog Platform

SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know

Popular Tags