A vulnerability in the Spring Framework has been reported and a CVE has been issued. This notice advises of the vulnerability, remediation, and initial steps taken by Ascend.
What is Spring Framework?
Spring Framework is used to develop enterprise-level applications in Java. It is a platform that provides comprehensive infrastructure to support model-view-controller- or MVC-based applications developed to reduce manual configuration and enhance memory management. It also makes code more reusable and easier to maintain by implementing some design patterns universally.
Who is vulnerable ?
• Spring Framework versions before 5.2.20, 5.3.18, and Java Development Kit (JDK) version 9 or higher
• Apache Tomcat
• Spring-webmvc or spring-webflux dependency
• Using Spring parameter binding that is configured to use a non-basic parameter type, such as Plain Old Java Objects (POJOs)
• Deployable, packaged as a web application archive (WAR)
• Writable file system such as web apps or ROOT
Vulnerability exploitation
The vulnerability occurs when special objects or classes are exposed under the specific conditions describe above. It is quite common for request parameters to be bound to a POJO that is not annotated with @RequestBody, which helps in extracting parameters from HTTP requests. The class variable contains a reference to the POJO object that the HTTP parameters are mapped to.
Threat actors can directly access an object by specifying the class variable in their requests. All child properties of an object can also be accessed by malicious actors through the class objects. As a result, they can get access to all kinds of other valuable objects on the system simply by following the chains of properties. (see sources for full technical write up.)
Remediation
A patch for Spring4shell has already been released, The Spring framework strongly urges enterprises to do the following:
• Upgrade Spring Framework to versions 5.3.18+ and 5.2.20+.
• Upgrade Spring Boot to versions 2.6.6+ and2.5.12+.
Workarounds
If patching is not immediately available the following workarounds have been recommended.
• Maintaining a disallow or blocklist in web application firewall to block strings that contain values such as "class.*", "Class.*", "*.class.*", and "*.Class.*"
• Downgrading to a lower JDK version such as version 8 might help. However, it could impact application features and open doors to other attacks mitigated in higher versions of JDK.
Additional Ascend Actions.
We have blocked all known IOC’s through out our environments. These consist of SHA values, IP address, and a url. (see below.)