On March 31, 2022, a serious zero-day vulnerability was discovered in the Spring framework core, which is an open-source framework for building enterprise Java applications. The vulnerability, dubbed Spring4Shell (similar to Log4Shell) or Springshell, was identified as CVE-2022-22965 (at the time of writing, not yet available in the NVD and reserved in Mitre).

What is Spring4Shell?

Spring4Shell is a remote code execution (RCE, code injection) vulnerability (via data binding) in Spring Core. By exploiting it, the attacker can easily execute code from a remote source on the attacked target. Spring4Shell affects all versions of Spring Core and the vulnerability can be exploited on any JDK9 or newer.

At the time of writing, Spring4Shell is no longer a zero-day vulnerability because Spring has released official patches, as announced on the Spring blog (5.3.18 and 5.2.20). For those unable to patch, this blog post also contains official workaround suggestions.

How is Spring4Shell exploited?

Unit42 has observed Spring4Shell already being exploited in the wild and a proof-of-concept exploit was also released along with information about the vulnerability. The PoC exploit has specific requirements:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

If the application is deployed as a Spring Boot executable JAR (the default method) it is not vulnerable to this specific exploit. However, while no other exploits are identified at the time of writing, they are theoretically possible due to the nature of the vulnerability. Therefore, applications deployed as a Spring Boot executable JAR may be vulnerable to other exploits and this deployment method should not be treated as mitigation.

What software is affected by Spring4Shell?

The Spring4Shell vulnerability affects all older Spring versions (from before March 31, 2022). The only versions of Spring that are considered safe are 5.3.18 or later and 5.2.20 or later.

Spring is a very popular Java framework, comparable in its popularity to Struts. Therefore, many web applications may be affected. At the time of writing, there are no specific reports on other common applications that are based on Spring and affected by this vulnerability, but we will update this post if any such reports surface.

How to check if you are affected by Spring4Shell?

For web applications, Acunetix has a check to detect the Spring4Shell vulnerability.

If you are using Acunetix on-premises, update your Acunetix installation to the latest version (build 14.7.220401065 or later) and scan all your web assets. If you are using Acunetix online, simply scan all your web assets at your earliest convenience.

If you would like to manually check your Spring web applications, you can use Lunasec’s Spring4Shell-POC exploit to see if your application is vulnerable. However, please note that even if the exploit does not work with your specific installation, that does not guarantee that your application is safe from Spring4Shell (due to potential other exploitation methods).

For details on the versions and modules that this issue applies to, and how to check if your environment is affected, please visit this Spring blog post.

How to mitigate Spring4Shell attacks?

To mitigate Spring4Shell:

  • Immediately upgrade your Spring installation to version 5.3.18 or higher, or 5.2.20 or higher.
  • If you cannot upgrade to 5.3.18/5.2.20 or higher, choose one of the following temporary solutions:
    • Set disallowedFields on WebDataBinder through a @ControllerAdvice. However, if applied centrally, this may leave loopholes, for example, when a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.
    • Extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. To do that, you can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux) in your Spring Boot application.
    • In the case of Spring MVC without Spring Boot, you can switch from @EnableWebMvc to extending DelegatingWebMvcConfiguration directly and overriding the createRequestMappingHandlerAdapter method.

Note that a web application firewall will not be able to protect you from Spring4Shell.

What about CVE-2022-22963?

At the same time as CVE-2022-22965 (Spring4Shell) was published, VMware also published details on another RCE vulnerability in Spring: CVE-2022-22963. However, this RCE is much more difficult to exploit, and therefore its impact has been evaluated as medium, not critical as in the case of Spring4Shell.

Note that the newest versions of Spring Core (5.3.18 and up and 5.2.20 and up) are also safe from this vulnerability.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.