Spring4Shell Detection: New Java Vulnerability Follows in the Footsteps of Notorious Log4j

When spring comes, bugs bloom. A novel, highly severe flaw in the Spring Cloud Function came on the radar on March 29, 2022. An easy to exploit vulnerability affects the Spring Core module – a framework used in Java applications, and requires JDK9+. If exploited, this Spring Core vulnerability enables hackers to execute remote code execution (RCE) based attacks.

So far, Spring4Shell is believed to have a potential of a critical Log4j RCE flaw.

Detect Spring4Shell

To ensure your system was not compromised, utilize the following rules released by SOC Prime Team together with Florian Roth. The following rules detect possible SpringCore RCE vulnerability exploitation attempts.

Possible Initial Access by Spring4Shell Exploitation Attempt (via web)

Possible Internal Lateral Movement by Spring4Shell Exploitation Attempt (Windows) (via process_creation)

Possible Internal Lateral Movement by Spring4Shell Exploitation Attempt (Linux) (via process_creation)

Apart from the Sigma detections above, you can leverage the YARA rule released by Florian Roth:

Possible Spring4Shell Exploitation Patterns – YARA Rules

Follow the updates of detection content related to Spring4Shell in the Threat Detection Marketplace repository of the SOC Prime Platform here. Are you a detection content developer? Join the world’s largest cyber defense community powered by the Threat Bounty program to tap into the power of the cybersecurity community and earn recurring rewards for your valuable input.

View All Сontent Join Threat Bounty

Spring4Shell Exploit Analysis

A novel zero-day Spring4Shell vulnerability that is currently actively gaining momentum was spotted on March 29, 2022, in Spring Framework – one of the most in-demand frameworks in Java. Spring application provides tools for developers to build some of the common patterns in distributed systems. The novel Spring Cloud vulnerability has already been dubbed Spring4Shell for its resemblance to the Apache Log4j2 vulnerability that generated a huge stir in December 2021.

Dire SpringShell’s impact on compromised systems is inevitable: the exploit, just like Log4Shell, is very easy to accomplish. Afterwards, adversaries are able to create scripts that scan the Internet and automatically exploit susceptible servers since exploitation involves only a simple HTTP POST to a vulnerable app. Threat actors can utilize these flaws to run commands on the server, granting them complete remote control over the infected device.

Moreover, Spring Cloud Functions may be utilized in cloud serverless functions such as AWS Lambda and Google Cloud Functions, making your cloud accounts a sitting duck for hackers eager to make the most of this vulnerability.

It is needless to mention that this flaw in the Spring project relies on specific configurations to be successfully exploited. In some cases, exploitation of this flaw is simple, as all an attacker needs to do is submit a specially crafted POST request to a targeted system. However, exploitation of such setups will require extra time and resources investment from the attacker in order to properly poison payloads aimed at a Spring application and gain full control of the system.

As of March 31, 2022, there is no CVE associated with this particular flaw, although there are two other newly disclosed vulnerabilities related to the Spring project – CVE-2022-22963 and CVE-2022-22950.

Potential and actual risks inflicted by this Spring Core RCE vulnerability on actual real-world applications are yet to be determined.

Join SOC Prime’s Detection as Code platform to continuously gain the latest updates on the threat landscape developments, improve your threat coverage, and outspeed the attackers by reaching the most relevant detection content aligned with the MITRE ATT&CK matrix. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts