Arctic Wolf has analyzed the published proof-of-concept exploit for Spring4Shell and has confirmed the exploit works against Java applications that leverage the Spring Framework and meet the following prerequisites:
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Running JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a WAR (in contrast to a Spring Boot executable jar)
- Java application with either the spring-webmvc or spring-webflux dependency
Arctic Wolf's Response to the Spring4Shell Exploit
ON MARCH 30:
Security researchers published proof-of-concept (POC) code of an exploit for an unconfirmed vulnerability called “Spring4Shell”, a remote code execution vulnerability in Spring MVC Java framework.
The Arctic Wolf Threat Research team started to investigate POC exploit code that was made available by the security researchers.
Within hours, Arctic Wolf released a security bulletin assuring assessing the impact of this alleged vulnerability in Spring Framework MVC and the feasibility of exploitation in the wild.
Arctic Wolf also released a public-facing security bulletin on its website.
ON MARCH 31:
The Arctic Wolf Threat Research team confirmed that some Java applications utilizing the Spring Framework were vulnerable to the POC exploit under certain specific conditions. Spring published a security advisory confirming and releasing patches for the vulnerability, and Spring4Shell was assigned a CVE ID of CVE-2022-22965. Arctic Wolf confirmed that detections were in place for malicious activities commonly used by threat actors exploiting vulnerabilities such as Spring4Shell.
Arctic Wolf started to develop a Spring4Shell Deep Scan Tool to run on systems that are believed to have Java applications running that would detect CVE-2022-22965 at the source. In addition, Arctic Wolf integrated third-party signatures into the Managed Risk internal, external and host-based scanning services to identify instances of CVE-2022-22965.
Arctic Wolf sent another security bulletin to customers according to recent developments and updated the public-facing security bulletin.
ON APRIL 1:
Within two days, the scanning tool was deployed and tested in several live customer environments to verify effectiveness and consistency.
Arctic Wolf made the “Spring4Shell Deep Scan Tool” available on GitHub to the public and customers at the same time.
Arctic Wolf’s Managed Risk has updated its scans to detect the Spring4Shell vulnerability. These detections are live in your Managed Risk solution now.