In this article:
This issue type is pending release.
Name in API: webapp_vulnerable-to-spring4shell
Severity level: Informational (In Scoring 2.0)
Low (in Scoring 3.0)
Factor: Application Security
Why this matters
We detected a web application in your network that may be running a version of Spring Core Framework with vulnerability, Spring4Shell, which is under active exploitation. Threat actors can exploit this vulnerability to access a website’s internal data and possibly attack other parts of the internal network.
Spring Core is a popular programming framework used in many Java-based applications, which makes the vulnerability more prevalent. Spring4Shell has the designation CVE-2022-22965 and a high-severity CVSS score of 9.8. In an exploit, a threat actor can remotely execute malicious code on a web server, gain access to a website’s internal data and connected databases, gain more permissions, and then launch additional attacks in the breached network.
Spring versions up to 5.3.17 or 5.2.19, depending on Spring variant, are vulnerable.
How we determine if this issue is present
Our Threat Research and Intelligence team augmented our daily scans of the internet with passive detection for the following conditions that indicate exploitability:
- A Spring MVC or Spring WebFlux application is running on Java Development Kit (JDK) version 9 or later, which may be vulnerable to remote code execution through data binding.
- The application is running on a Tomcat server as a web archive (WAR) deployment.
- Executable JAR, which is the default deployment method for Spring Boot is not vulnerable to the exploit.
Note: There may be other ways to exploit it this vulnerability, which warrants continuous monitoring of information from trusted security industry and community sources.
How you can remediate it
The best way to fix SpringShell is to upgrade Spring Framework to version 5.2.20 or 5.3.18, depending on your variant.
If you are using Spring Boot directly, upgrade to version 2.6.6.
Tip: If you are unable to patch, see the Spring Blog for additional methods.
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving this issue type:
I have fixed this
Indicate that you have applied the latest patches for Spring Framework or used an alternate remediation method recommended by Spring.
I have a compensating control
There are no compensating controls for this issue type.
This is not my IP or domain
Indicate that the affected assets do not belong to your organization.
Note: To prevent future findings on specific assets, request their removal from your Digital Footprint.
I cannot reproduce this issue and I think it’s incorrect
Provide a reason or evidence that the finding is inaccurate.
Information about this vulnerability changes rapidly, so monitor trusted industry and community sources for updates, including the following:
- Spring4Shell: 12 year old vulnerability springs back to life
- Spring Official Post with Patches/Recommendations
- Millions of Installations Potentially Vulnerable to Spring Framework Flaw
- Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring
- Spring4Shell – What Happened, Who’s Vulnerable, and How to Mitigate
- Spring4Shell: The zero-day RCE in the Spring Framework explained
- PoC Exploit on GitHub