Spring4Shell

Microsoft said that it's currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services.

The Spring4Shell vulnerability (tracked as CVE-2022-22965) impacts the Spring Framework, described as the "most widely used lightweight open-source framework for Java."

"Microsoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities," the Microsoft 365 Defender Threat Intelligence Team said.

"We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability," the Microsoft Security Response Center team added.

Spring4Shell exploited to deploy web shells

Microsoft further explained in their Monday report that attackers could exploit this Spring Core security flaw by sending specially crafted queries to servers running the Spring Core framework to create web shells in the Tomcat root directory.

Threat actors can then use this web shell to execute commands on the compromised server.

While some have compared this security bug's severity level with Log4Shell, a vulnerability in the ubiquitous Apache Log4j Java-based logging library, this isn't necessarily true given that Spring4Shell only impacts systems with a very particular configuration:

  • Running JDK 9.0 or later
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance; typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted
  • Tomcat has spring-webmvc or spring-webflux dependencies

Despite this, Microsoft says that "any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable."

Admins can check their servers to determine if they are vulnerable to Spring4Shell attacks using this nonmalicious command (an HTTP 400 response is evidence that the system is vulnerable to at least one publicly available proof of concept (PoC) exploit):

curl host:port/path?class.module.classLoader.URLs%5B0%5D=0

Warnings of ongoing exploitation

Microsoft's discovery of ongoing attacks deploying Spring4Shell exploits against its cloud infrastructure comes after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog.

A Check Point report published on Tuesday estimates that CVE-2022-22965 exploitation attempts have already targeted roughly 16% of all organizations vulnerable to Spring4Shell.

Based on internally-sourced telemetry statistics, Check Point researchers detected around 37,000 Spring4Shell exploitation attempts during the last weekend alone.

On Monday, VMware also published security updates to address the Spring4Shell flaw impacting several of its cloud computing and virtualization products.

Update: Added MSRC statement.

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

CISA tags Microsoft SharePoint RCE bug as actively exploited

Exploit released for Fortinet RCE bug used in attacks, patch now

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability