#Spring4Shell Exploit PoC | Remote Code Execution (#RCE) | CVE-2022-22965

Spring Framework for Java vulnerable to remote code execution

Popular Name: Spring4Shell

CVE: CVE-2022-22965
   
Overview:  
- On 29 March 2022, the developers of the Spring Framework for Java were notified of a vulnerability that allowed remote code execution. 
- On 30 March 2022, the vulnerability was leaked prior to the publication of the CVE and release of the patch. 
- The Spring Framework is touted as the most popular Java framework and widely used across many platforms. 
- Patched versions of Spring Framework (version 5.3.18 and 5.2.20) and Spring Boot (2.6.6 and 2.5.12) have been released on 31 March 2022, as well as workarounds. 
- Proof of Concepts (POCs) are available with exploitation being reported in the wild. 
   
Exploitability:  
- POCs are available and exploitation is occurring in the wild.  

Exploit PoC: https://github.com/reznok/Spring4Shell-POC
   
Exposure:  
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions 
  
Potential Impact:  
- The Spring Framework is very frequently used with Java software. Due to this, the impact is difficult to quantify. Similar to other high-profile vulnerabilities such as Log4j, Heartbleed, and Shellshock, it seems there will be an increasing number of vulnerable products discovered in the weeks to come. Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately. 
- Successful exploitation could allow an attacker to perform unauthenticated remote code execution. 
   
Decision Rationale:  
- Spring Frameworks are widely used and exposure to the internet is common. 
- Exploitation allows remote code execution, such as ransomware attacks. 
- The full extent of methods of exploitation is currently unknown. 
 
Recommendation:  
- Upgrade to a patched version of Spring Framework (version 5.3.18 and 5.2.20) and Spring Boot (2.6.6 and 2.5.12) as soon as possible. 
- In the event that an upgrade is not immediately possible, the flaw can also be mitigated by setting disallowedFields on WebDataBinder through an @ControllerAdvice.
- For more information on this workaround: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcemen #suggested-workarounds 

References:
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Tags
spring4shell,spring shell vulnerability,spring boot rce,spring rce vulnerability,spring vulnerability,spring beans vulnerability,spring boot vulnerability,spring boot vulnerability remediation,spring remote code execution,remediate spring vulnerability,impact of spring vulnerability,spring4shell github,spring4shell rce poc,spring4shell rce,spring rce,spring rce poc,spring4shell exploitation,spring4shell remediation,remote code execution,spring vulnerability