Executive Summary

Spring4Shell is a critical remote code execution vulnerability in the Spring Framework, affecting Spring MVC and Spring WebFlux applications. The vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting the data binding functionality.

Technical Analysis

The vulnerability stems from a bypass of the patch for CVE-2010-1622, made possible by changes introduced in Java 9. It allows attackers to overwrite the Tomcat logging configuration to write a malicious JSP file to the web root.

Vulnerability Requirements

Required Conditions:
  - Java 9 or higher
  - Spring Framework versions 5.3.0-5.3.17 or 5.2.0-5.2.19
  - Spring application deployed as WAR on Tomcat
  - Dependencies on spring-webmvc or spring-webflux
  - Custom controller with request mapping

Exploitation Technique

# Exploitation payload structure
payload = {
    "class.module.classLoader.resources.context.parent.pipeline.first.pattern": "%{c2}i",
    "class.module.classLoader.resources.context.parent.pipeline.first.suffix": ".jsp",
    "class.module.classLoader.resources.context.parent.pipeline.first.directory": "webapps/ROOT",
    "class.module.classLoader.resources.context.parent.pipeline.first.prefix": "shell",
    "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat": ""
}

Impact Assessment

• Attack Complexity: Low - exploitation requires only HTTP requests
• Authentication: None required
• Scope: Changed - can affect resources beyond the vulnerable component
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: High

Affected Industries

• Financial services running Spring-based applications
• E-commerce platforms
• Healthcare systems
• Government services
• Any organization using Spring Framework with the vulnerable configuration

Detection Methods

Application Scanning

# Check Spring Framework version
mvn dependency:tree | grep spring-core

# Search for vulnerable patterns in code
grep -r "@RequestMapping" . | grep -E "(ModelAttribute|RequestParam)"

Runtime Detection

• Monitor for unusual HTTP parameter patterns
• Watch for attempts to access class properties
• Check for suspicious JSP file creation
• Monitor Tomcat access logs for anomalies

Mitigation Strategies

Immediate Patches

1. Upgrade Spring Framework:
2. Spring Framework 5.3.18+
3. Spring Framework 5.2.20+
4. Spring Boot 2.6.6+

5. Spring Boot 2.5.12+

6. Workaround for older versions:

@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
        String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
        dataBinder.setDisallowedFields(denylist);
    }
}

Additional Hardening

• Implement Web Application Firewall rules
• Use the latest JDK versions
• Regular security assessments
• Implement proper input validation
• Use security headers and CSP

Timeline

• March 29, 2022: Vulnerability reported to VMware
• March 31, 2022: Public disclosure and patches released
• April 1, 2022: Mass scanning and exploitation attempts begin
• April 4, 2022: CISA adds to Known Exploited Vulnerabilities catalog

References

• Spring Framework RCE Announcement
• VMware Security Advisory
• CISA Advisory