20 April 2022

What’s the Spring4Shell Vulnerability and Why it Matters

Synack

By Kim Crawley

The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.

The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.

Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.

Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.

One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously. 

First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.

Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.

Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix. 

Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.

Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks. 

Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities. 

Reach out today to discover how Synack can help.