Spring4Shell Zero-Day Vulnerability Response
On March 30th, a Critical 0-Day vulnerability (CVE-2022-22965) was disclosed by Spring regarding their open-source framework. This document provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.
Description
A zero-day vulnerability has been identified in the Spring Core framework. Spring is open source software that is commonly utilized in conjunction with the Java technology ecosystem. The vulnerability has been categorized as “Critical” with a CVSS score of 5.7. To be considered vulnerable, a system would require the following configurations:
- Java Development Kit (JDK) version 9 or newer,
- Apache Tomcat,
- Packaged as a WAR file, and
- Run either the spring-webmvc or spring-webflux dependencies
Below is a link to the vulnerability in the Mitre CVE Program:
It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.
Step 1: Determine if you are at risk.
- If you or a third party are running any version of the Spring framework up to and including 5.2.19 and 5.3.17, the system is vulnerable to this CVE.
- To assess whether your Third Parties are vulnerable, customers can access the Vulnerability Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.
- A standalone .xls file can be found here.
Step 2: Immediately patch applications that have been impacted.
- Update Spring to 5.3.18 or 5.2.20 using the version update provided by Spring after appropriate testing and validation.
- Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Apply the Principle of Least Privilege to all systems and services.
This method is the only complete remediation. The following two actions are independently validated mitigation techniques that will provide significant protection until Spring can be upgraded to one of the above-mentioned versions. Rapid7 has published documentation that demonstrates how to approach these mitigation actions. You can find it here.
- Add string filters to applicable web application firewalls (WAFs) that reject variations of “Class.”, “class.”, etc.
- Use the Spring Framework Controller Advice utility to establish a denylist that reject variations of “Class.”, “class.”, etc.
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability does not directly impact Whistic. While Whistic uses the Spring framework in conjunction with many other tools, the underlying architecture and internal secure programming practices reduces our exposure to this vulnerability. When we were made aware of this CVE on March 31st, we implemented and tested a WAF configuration in conjunction with an Application Load Balancer within the Whistic environment to mitigate the vulnerability.