Detect CVE-2022-22965: Updates on Spring Framework RCE

In March 2022, several novel vulnerabilities in the Java Spring framework were disclosed. One of these flaws affects a component in Spring Core, enabling adversaries to drop a webshell, granting Remote Command Execution (RCE).

As of April 5, 2022, the SpringShell vulnerability tracked as CVE-2022-22965 is now confirmed to be of critical severity.

CVE-2022-22965 Detection

Given the current tendencies of exploitation of CVE-2022-22965 and its potential to be actively widespread, it is vital to ensure efficient detection approaches. In addition to the previously released detection content related to CVE-2022-22965 in the Threat Detection Marketplace repository of the SOC Prime Platform, the following fresh from the oven Sigma rule inspects the values of common HTTP request headers, body, URI, and query string for patterns indicating Java deserialization RCE attempts:

AWS Possible Spring Core and Cloud Function RCE Vulnerability Attempt [CVE-2022-22965,CVE-2022-22963] (via awswaf)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the 

Lateral Movement and Initial Access tactics with Exploitation of Remote Services (T1210) and Exploit Public-Facing Application (T1190) as the main techniques.

The rule was released by our top-tier Threat Bounty developer Nattatorn Chuensangarun.

Apart from the Sigma detections above, you can leverage the Snort rules released by talented Sittikorn Sangrattanapitak and Kaan Yeniyol, who never miss a trick:

CVE-2022-22965 Exploitation Attempt Detected – Snort Rules

Potential Webshell Activity via Spring4Shell – Snort Rules

Follow the updates of detection content related to CVE-2022-22965 (aka Spring4Shell or SpringShell) in the Threat Detection Marketplace repository of the SOC Prime Platform here. Are you an experienced threat detection content developer? Tap into the power of the world’s largest cyber defense community powered by the Threat Bounty Program, share your detection content, and earn recurring rewards for your valuable input.

View All Сontent Join Threat Bounty

CVE-2022-22965 Exploit Mitigation

Taking into account CVE-2022-22965 details, severity, and susceptibility to exploits, the vulnerability qualifies to be able to cause great harm in the long run. Even its moniker, Spring4Shell, refers to brutal Log4Shell, a zero-day RCE vulnerability in Apache Log4j first reported on November 24, 2021.

To successfully exploit CVE-2022-22965, it is required for the application to run on Tomcat as a WAR deployment. Otherwise, it is not vulnerable. Nevertheless, security researchers warn that it is not a panacea for exploitations, given the nature of the vulnerability. Protection against the CVE-2022-22965 exploit requires users to update their version of Spring to 5.3.18 or 5.2.20. Upgrading the framework version is enough to patch CVE-2022-22965 on Spring applications.

For more details on this vulnerability, please refer to the CVE-2022-22965 analysis released on the SOC Prime blog on March 31, 2022.

Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest live pool of detection content created by the industry leaders. SOC Prime, headquartered in Boston, US, is powered by an international team of seasoned experts dedicated to enabling collaborative cyber defense. Stay connected to the global cybersecurity community to withstand attacks easier, faster, and more efficiently.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts