A new zero-day vulnerability in the Spring Core Java framework dubbed ‘Spring4Shell’ has been publicly disclosed, allowing unauthenticated remote-code execution on applications.
Spring by VMware is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies. VMware has acknowledged the vulnerability, tracked as CVE-2022-22965.
Affected VMware Products and Versions:
Severity is critical unless otherwise noted.
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary.
There are other mitigation steps for applications that cannot upgrade to the above versions. Releases that have fixed this issue include:
Prerequisites for the Exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
If you’re able to upgrade to Spring Framework 5.3.18 and 5.2.20, no workarounds are necessary.
Downgrading to Java 8 provides a viable workaround, which may be a quick and simple thing to do as a tactical solution, until you can upgrade to a supported Spring Framework version.
For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78 provides protection against the reported attack vector.
However, applying the workarounds described here is still a good step to prevent any other possible attack vectors.
ITC’s Sentinel SIEM service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks and our analysts carry out proactive threat hunting to search for related indicators of compromise.
For ITC VI customers, we have reached out via service requests to initiate vulnerability scans to look for assets vulnerable to CVE-2022-22965.
For ITC customers who have a managed firewall offering, we are checking and confirming that the action assigned by the threat prevention is to drop traffic should the signature be met.
- PA – Threat content update 8548
- Snort SIDs: 30790-30793, 59388, and 59416