Arctic Wolf Spring4Shell Deep Scan

Arctic Wolf's open source Spring4Shell Deep Scan enables detection of CVE-2022-22965

Background on the Spring4Shell Exploit

On Wednesday, March 30, Arctic Wolf became aware of a 0-day vulnerability in a popular open-source Java framework called Spring MVC that could potentially lead to unauthenticated remote code execution. Spring MVC allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.

On Thursday, March 31, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework initially reported Wednesday. In addition to the security advisory, Spring released patches addressing vulnerability. The vulnerability, now assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacts not only Spring MVC but also Spring WebFlux applications running JDK 9+.

Arctic Wolf has analyzed the published proof-of-concept exploit for Spring4Shell and has confirmed the exploit works against Java applications that leverage the Spring Framework and meet the following prerequisites:

  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • Running JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a WAR (in contrast to a Spring Boot executable jar)
  • Java application with either the spring-webmvc or spring-webflux dependency

Arctic Wolf's Response to the Spring4Shell Exploit


  • ON MARCH 30:
    Security researchers published proof-of-concept (POC) code of an exploit for an unconfirmed vulnerability called “Spring4Shell”, a remote code execution vulnerability in Spring MVC Java framework.

    The Arctic Wolf Threat Research team started to investigate POC exploit code that was made available by the security researchers.

    Within hours, Arctic Wolf released a security bulletin assuring assessing the impact of this alleged vulnerability in Spring Framework MVC and the feasibility of exploitation in the wild.

    Arctic Wolf also released a public-facing security bulletin on its website.

  • ON MARCH 31:
    The Arctic Wolf Threat Research team confirmed that some Java applications utilizing the Spring Framework were vulnerable to the POC exploit under certain specific conditions. Spring published a security advisory confirming and releasing patches for the vulnerability, and Spring4Shell was assigned a CVE ID of CVE-2022-22965. Arctic Wolf confirmed that detections were in place for malicious activities commonly used by threat actors exploiting vulnerabilities such as Spring4Shell.

    Arctic Wolf started to develop a Spring4Shell Deep Scan Tool to run on systems that are believed to have Java applications running that would detect CVE-2022-22965 at the source. In addition, Arctic Wolf integrated third-party signatures into the Managed Risk internal, external and host-based scanning services to identify instances of CVE-2022-22965.

    Arctic Wolf sent another security bulletin to customers according to recent developments and updated the public-facing security bulletin.

  • ON APRIL 1:
    Within two days, the scanning tool was deployed and tested in several live customer environments to verify effectiveness and consistency.

    Arctic Wolf made the “Spring4Shell Deep Scan Tool” available on GitHub to the public and customers at the same time.

    Arctic Wolf’s Managed Risk has updated its scans to detect the Spring4Shell vulnerability. These detections are live in your Managed Risk solution now.


Access the Arctic Wolf Spring4Shell Deep Scan Script

The Arctic Wolf Spring4Shell Deep Scan Tool is delivered as a script that is a complement, not a replacement, to the other detection sources. This tool is a script similar to the Log4Shell Deep Scan Tool developed in response to the Log4Shell vulnerability disclosed in December 2021. The Spring4Shell Deep Scan Tool runs on systems which are believed to have Java applications running within nested JAR files, as well as WAR and EAR files.

The script is not only deep but is application-agnostic, working on Windows, Mac and Linux.

Arctic Wolf
Sample Title Intro

Ipsum primis in cubilia laoreet augue

Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna dolor luctus at egestas sapien vitae nemo egestas volute and turpis dolores aliquam quaerat sodales a sapien

Sample Title Intro

Ipsum primis in cubilia laoreet augue

  • Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna and luctus and egestas sapien egestas vitae volute

  • Nemo ipsam egestas volute turpis dolores ut aliquam quaerat sodales sapien undo pretium a purus mauris

Arctic Wolf
Arctic Wolf
Sample Title Intro

Ipsum primis in cubilia laoreet augue

Quaerat sodales sapien euismod purus blandit a purus ipsum primis in cubilia laoreet augue luctus magna dolor luctus at egestas sapien vitae nemo egestas volute and turpis dolores aliquam quaerat sodales a sapien

WATCH ON DEMAND:

Understanding the Spring4Shell Vulnerability

Join Arctic Wolf Product Marketing Manager Sule Tatar and Arctic Wolf Threat Intelligence leaders to understand:

  • What is the Spring4Shell vulnerability?
  • What is the difference between Log4Shell and Spring4Shell?
  • Why Arctic Wolf developed the Spring4Shell Deep Scan Tool
  • How to use Arctic Wolf’s Spring4Shell Deep Scan to help identify known vulnerable versions of the Spring Framework Java class files

Watch On Demand

Connect With Your Concierge Security Team Today

Arctic Wolf’s Recommendations for Spring4Shell Remediation:

For organizations with their own in-house built Java applications, we recommend running the Arctic Wolf Spring4Shell Deep Scan Tool, checking if the Spring Framework is used, and then applying the latest Spring Framework updates and re-deploying the application. This is the only way to remediate CVE-2022-22965.

Vulnerable Version Upgrade To
5.3.x 5.3.18+
5.2.x 5.2.20+

NOTE: If using third-party built Java applications, please refer to the vendor for patch guidance. It is likely the vendor will need to upgrade the Spring Framework version on their end and then push a new update for the application.

We recommend applying the latest security updates for Spring Cloud Function due to the potential for remote code execution. Note: CVE-2022-22963 is a separate vulnerability from Spring4Shell.

Vulnerable Version Upgrade To
3.1.6 3.1.7
3.2.2 3.2.3
Have more questions? Ask your question here

End Cyber Risk For Your Organization with Arctic Wolf

Spring4Shell underscores the advantage of security operations and Arctic Wolf’s concierge delivery model. Our teams worked side by side with customers in the immediate wake of the attack to identify known indicators and prioritize mitigation and patching to impacted systems.

Arctic Wolf continually updated and distributed lists of affected services, identified patches, and worked with customers to mitigate the impact of CVE-2022-22965. This real-time communication and concierge delivery model enabled Arctic Wolf customers to quickly mitigate the immediate impact of this and other 0-day threats.


Complete the form to unlock access

Access the Complimentary Arctic Wolf Log4j Deep Scan Script Here

About Arctic Wolf:

Arctic Wolf is the global leader in security operations, delivering the first cloud-native security operations platform to end cyber risk. Powered by threat telemetry spanning endpoint, network, and cloud sources, the Arctic Wolf® Security Operations Cloud ingests and analyzes trillions of security events each week to enable critical outcomes for most security use cases. The Arctic Wolf® Platform delivers automated threat detection and response at scale and empowers organizations of any size to stand up world-class security operations with the push of a button.

For more information about Arctic Wolf, visit  arcticwolf.com.