A closer look at CVE-2022-22965
Introduction
The Spring Framework is a platform that provides a comprehensive architecture for Model-View-Controller-based (MVC) applications designed to decrease manual configuration and improve memory management. Implementing some design patterns uniformly makes the code more reusable and easy to maintain. This is the driving factor behind using the Spring framework to develop Enterprise-level spring boot and spring cloud applications.
The recent vulnerability CVE-2022-22965 points out that Data Binding might expose a Spring MVC or Spring WebFlux application running on Java Development Kit 9+ (JDK) vulnerable to Remote Code Execution (RCE). The exploit requires the program to execute as a Web Application Resource (WAR) deployment on Tomcat.
The program is not vulnerable to the exploit if it is deployed using the default Spring Boot executable jar. However, the vulnerability can be exploited through various approaches by a TA who is familiar with it.
The SpringShell or CVE-2022-22965 vulnerability circumvents the fix for a previous vulnerability CVE-2010-1622, allowing it to be exploited once more.
The patch for CVE-2010-1622 can be bypassed because Java Development Kit (JDK) versions 9 and above have two sandbox restriction methods, which enable exploitation.
If the below conditions are satisfied, a remote attacker can access an AccessLogValve object. This is done via the parameters of the framework’s binding feature using malicious field values to trigger pipeline mechanisms and write to files in arbitrary locations.
Prerequisites for exploitation of the vulnerability require the victim system to be running:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Technical Analysis
When specific objects or classes are accessible under certain conditions, a vulnerability is created. Request parameters are frequently bound to a Plain Old Java Object (POJO) that is not annotated with RequestBody. This aids in the extraction of parameters from HTTP requests.
The RequestBody annotation is used to indicate whether a method parameter should be bound to the body of the HTTP request.
An attacker can trigger the flaw by using the Spring framework’s getCachedIntrospectionResults function, incorrectly exposing the class object while binding the parameters shown in the original proof of concept script. Refer Figure 1.
By including the class variable in the requests, malicious actors can gain direct access to an object. As a result, by just following the property chains, they can access a surplus of additional valuable objects on the system.
The attacker can make changes to AccessValveLog by creating a .jsp file in the service’s root directory.
The properties mentioned below can be modified by an attacker, as shown in Figures 2 & 3:
Directory: The location of the access log relative to Tomcat’s root directory. This can be altered to point to a location accessible via HTTP requests – such as the directory of the web application.
Prefix: The name of the access log file’s prefix.
Suffix: The suffix of the name of the access log file. The log file’s name is a combination of the prefix and the suffix.
Pattern: A string that describes the structure of a log record. This can be adjusted so that each entry has a JSP web shell.
FileDateFormat: Setting this causes the new access log settings to take effect.
The .jsp file now contains a payload with a password-protected web shell in the format shown in Figure 4, allowing the attacker to execute further commands.
Cyble Research Lab’s Global Sensor Intelligence network indicated malicious activity linked to the SpringShell vulnerability (CVE-2022-22965). The heat map below depicts the geographic distribution of the scanner IP addresses that we have observed thus far. Our analysis indicates that the United States is being heavily targeted, followed by the Netherlands and Germany by TAs leveraging this vulnerability.
SpringShell is used to inject a JSP web shell into the web root of the web server via a specially designed request, allowing threat actors to remotely execute commands on the server.
It was observed that threat actors leverage their remote access to download and execute Mirai to the “/tmp” folder, as shown in Figure 6.
The Threat Actors behind SpringShell download numerous Mirai samples for different CPU architectures and run them using the wget.sh script, as shown in Figure 6.
Conclusion
Until this month, various Mirai botnets were among the few persistent exploiters of the Log4Shell (CVE-2021-44228) vulnerability, utilizing the bug in the widely used Log4j software to recruit affected devices into its DDoS botnet. It is probable that botnet operators are currently experimenting with other vulnerabilities that could have a significant impact, such as SpringShell, to gain access to new device pools.
These assaults could potentially expose the victim to ransomware attacks and data breaches. Thus, Mirai resource hijacking for denial of service or crypto-mining appears relatively innocuous in comparison.
Recommendations
- Upgrade to the latest Spring framework version.
- Upgrade Apache Tomcat to the latest released versions 10.0.20, 9.0.62, and 8.5.78, which rectify the attack vector on Tomcat’s side.
- Upgrade to spring framework 5.3.18 and 5.2.20, which contain the fixes, have been released.
- Downgrade to Java 8 as a viable workaround if upgrading the Spring Framework or Apache Tomcat is not viable.
- Keep operating systems and application software up to date.
- Use a strong password policy.
- Cyber security awareness training programs are a must for employees of the organization.
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 95f02f3121d1626bd7058bc074dd6b25, ba4393846787f1be224b088798d25d523567a94a, 136c2a3d4202b27259d5c99f43247ba12c09157026a812d1899e82c103d41ef9 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 9de8ec169cbc5d0bc8449f6ca77365b4, d9c25d2dfd9cdfde6dbf005cb80b8c19d9dfe69b, 9389c61bd1069674215678a72f02b0951f3e74d9e4d2c9ce58d58f3a15d91ae4 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 5749c03892ff18818b1d1badb35106e2, 1b64cb331a37bd2c858f042ebc3617f4c15f08b0, f23259498b67d7a70904d25453b2deeb23719fca0fadf925f69feacae758a44e | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| aaeb9678b275c6639d7b2598ce8e708c, f8ff2ec0f839970aadd41f78d993699380bbef38, b95017be689384eec9f3800f712ce2b6003893afeac507c7da70330fe75dd216 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 3de4e174c2c8612aebb3adef10027679, c2f04ab5e0f744c06ce401342e123844d96ff2a0, 4f19caf78b58d7ec120f91165c9e21fdc9a7e75c01b1b7af234c31b871781c41 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 8ce2bfbd31b41f9d618c0b817773bba3, 247f484f62342fbdb324799d500f060000b73197, 2dd7d5d9ff525732d7730e205c4e85005ff79395e1ecbc69071fd82d4426b37f | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| c5d26243dc953e105fa488290c8eca38, d0af2d07398aa504d83c2507249b99835a240c9f, 35cf4e1eb657b53d77b331faee7d6e48f73acd136eed9ccfda60abc1033c6166 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 56fea329f85c6f974c63b31e162279f8, d50a107458a043e117ad72fa32cf7454c0150eae, e3d86c64a3c5b83cb8252fc9c68aaf95857a9421ddb5c0f49d7d126242e70b02 | {MD5, SHA-1, SHA -256} | SpringShell Exploit |
| 141.164.43.95 109.201.133.100 87.120.37.231 23.128.248.12 23.128.248.24 5.2.69.50 37.187.18.212 128.31.0.13 213.61.215.54 109.70.100.19 | IP addresses |
Generic signatures and Rules
Yara Rules:
