Minute Read: 2 minutes

SpringShell: Spring Framework Remote Code Execution Vulnerability

What is SpringShell or Spring4Shell?

A server security vulnerability in the Spring Framework. Because Spring4Shell exposes an application to remote code execution, an attacker can possibly access all website internal data, including any connected database. It may also allow an attacker to access additional internal resources to gain more permissions or to make their way to other parts of an internal network. It has been identified as CVE-2022-22965.

Prerequisites for the vulnerability

  • Running JDK 9.0 or later
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
  • Apache Tomcat as the Servlet container
    Application packaged as Java web archive (WAR)
  • Tomcat has spring-webmvc or spring-webflux dependencies

Workarounds

  • To update to Spring Framework 3.18 and 5.2.20 or greater and upgrade the Tomcat to version 9.0.62
  • There are further workarounds which can be found in the pages listed in the references.

Is SECUDE Software affected?

SECUDE has taken the time to properly analyze the case and validate if any of our software is affected.

We deliver the affected piece of software with our HALO Core server admin portal. Affected are users of HALO Core Server <= 6.1. (6.1.2.5) In default setup HALO Core admin is not configured for remote access. This and the enforced mutual authentication limit the attack vector substantially.

Workarounds

We urge our customers to upgrade to HALO Core Server 6.1.2.6. Please download your version in the SECUDE portal.

Customers unable to upgrade immediately and customers running HALO Core Admin portal with remote access should do either of the following:

Deactivate remote access to reduce the attack vector. This should substantially reduce your attack vector. Side effect, configuration changes will only be possible via access to the host operating system.

Please execute the following steps:

  1. Login into the HALO Core Admin Portal
  2. Go to “System Configuration”
  3. Head to “HALO Core Server Configuration”
  4. Disable “Configure Remote Access”
  5. Restart the Tomcat

Move our admin portal application out of the webapps folder.

  1. Stop the Tomcat
  2. Move the ‘halocore-admin’ folder in the webapps folder of the tomcat to a different location
  3. Start the Tomcat

This has no side effects on the running software, but until the patch applied configuration changes will not be possible.

References:

https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability

https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/

https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/

https://www.springcloud.io/post/2022-03/spring-framework-rce-early-announcement/#gsc.tab=0

 

Comments are closed.