Spring4Shell (CVE-2022-22965) FAQ: Spring Framework Remote Code Execution Vulnerability
A list of frequently asked questions related to Spring4Shell (CVE-2022-22965).
Update April 13: Updated the Identifying affected systems section with the recent addition of a remote direct check plugin for Spring4Shell. For information about our detections, please refer to this post on the Tenable Community.
Update April 1: Added sections about Apache Tomcat and Tenable Products. The Identifying affected systems section has been updated with additional information on Tenable product coverage.
Update March 31: Additional details have been provided including fixed versions, the CVE identifier, additional details on the requirements necessary to exploit the vulnerability, as well as details on Tenable product coverage.
Tenable Research is closely monitoring updates related to Spring4Shell. As more information becomes available, we will update this FAQ with additional details about the vulnerability, including Tenable product coverage.
Frequently Asked Questions about Spring4Shell
What is Spring4Shell?
Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.
Has a CVE been assigned to this vulnerability?
CVE-2022-22965 has been assigned to this vulnerability.
Is Spring4Shell related to Log4Shell?
Is there a patch available for Spring4Shell?
As of March 31, Spring Framework versions 5.3.18 and 5.2.20 have been released. According to the vulnerability announcement from Spring, Spring Boot version 2.6.6 and 2.5.12 (both depend on Spring Framework 5.3.18) have been released.
How severe is Spring4Shell?
An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.
According to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:
- Java Development Kit (JDK) 9 or greater
- Apache Tomcat as the Servlet container
- Packaged as a WAR
- spring-webmvc or spring-webflux dependency
What versions of Spring Core Framework are affected?
As of March 31, Spring versions 5.3.18 and 5.2.20 have been released to address CVE-2022-22965. While it’s not explicitly noted what versions are impacted at the time this blog was updated, we hope to have more clarity soon and will update this post with additional information.
Is my application vulnerable if I use a JDK 9+ and Spring Framework?
Using both JDK 9+ and Spring Framework together does not necessarily equate to being vulnerable to Spring4Shell, as the application would need to be configured in a way for an attacker to exploit the flaw. For instance, Spring has recommended developers specify the allowedFields property when using the DataBinder class. Researchers have confirmed that not specifying this property could enable an attacker to leverage Spring4Shell against a vulnerable application.
What does Spring4Shell have to do with CVE-2010-1622?
Researchers at Praetorian have confirmed that Spring4Shell is a patch bypass of CVE-2010-1622, a code injection vulnerability in the Spring Core Framework that was reportedly fixed nearly 12 years ago. However, the researchers say the fix for CVE-2010-1622 was incomplete and a new path to exploit this legacy flaw exists.
Is Spring4Shell related to CVE-2022-22963?
No, these are two completely unrelated vulnerabilities. CVE-2022-22963 is a vulnerability in the Spring Cloud Function, a serverless framework for implementing business logic via functions. An advisory for CVE-2022-22963 was published on March 29 and patches for Spring Cloud Function are available.
Because there was no CVE assigned for Spring4Shell at the time of its disclosure, Spring4Shell was erroneously associated with CVE-2022-22963.
Is Proof of Concept exploit code available?
Are Tenable products affected by Spring4Shell or CVE-2022-22963?
Based on current information as of 4/1/2022 regarding Spring4Shell (CVE-2022-22965) and CVE-2022-22963, Tenable products are not affected.
Apache Tomcat is listed as a prerequisite, has the Tomcat team released patches?
Yes, they have. While CVE-2022-22965 resides in the Spring Framework, the Apache Tomcat team released new versions of Tomcat to ”close the attack vector on Tomcat’s side.” This is especially useful in instances where an unsupported version of the Spring Framework is in use alongside Tomcat.
Does Tenable have any product coverage for Spring4Shell?
Yes, please refer to the Identifying affected systems section below for details. If you would like to learn more about the plugins, please refer to this post on the Tenable Community.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability can be found here.
|159374||Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)||Tenable.io, Tenable.sc, Nessus||Paranoid Mode, Thorough Tests|
|159542||Spring Framework Spring4Shell (CVE-2022-22965)||Tenable.io, Tenable.sc, Nessus||Test embedded web servers|
|113217||Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (Spring4Shell)||Web Application Scanning||None|
|98097||Backdoor Detection||Web Application Scanning||None|
|159462||Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations||Tenable.io, Tenable.sc, Nessus||None|
|159464||Apache Tomcat 9.x < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations||Tenable.io, Tenable.sc, Nessus||None|
|159463||Apache Tomcat 10.x < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations||Tenable.io, Tenable.sc, Nessus||None|
For Web Application Scanning customers, we've updated our Backdoor Detection plugin to detect the tomcatwar.jsp shell file. The backdoor detection script can be used to identify a web backdoor or web shell on a web server as a result of an attacker exploiting the vulnerability.
Paranoid and Thorough Tests requirements for Plugin ID 159374
For Nessus plugin ID 159374, "Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)," users are required to enable the "Show potential false alarms" setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the "Perform thorough tests" setting must be enabled as well.
We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.
Enabling Paranoid and Thorough Tests Modes
To enable this setting for Nessus and Tenable.io users:
- Click Assessment > General > Accuracy
- Enable the "Show potential false alarms" option
- Enable the "Perform thorough tests (may disrupt your network or impact scan speed)" option
To enable this setting for Tenable.sc (formerly SecurityCenter) users:
- Click Assessment > Accuracy
- Click the drop-down box and select "Paranoid (more false alarms)"
- Click the drop-down box and select "Perform thorough tests (may disrupt your network or impact scan speed)"
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.