New zero-day Remote Code Execution (RCE) vulnerabilities were discovered in Spring Framework, an application development framework and inversion of control container for the Java platform. The vulnerability potentially leaves millions of applications at risk of compromise. In two separate disclosures, zero-day RCE vulnerabilities were revealed in the Cloud and Core modules of Spring Framework.
Spring Framework “provides a comprehensive programming and configuration model for modern Java-based enterprise applications – on any kind of deployment platform” [1]. Java is one of the most commonly used development languages, and Spring is commonly cited as one of the most popular Java frameworks.
The first of the disclosures dropped on March 26, and reported on a vulnerability in the Spring Framework Cloud module, which allowed for the injection of a SPeL expression into a header value. This crafted header value would then be evaluated by the server and could result in a RCE. The vulnerability was assigned CVE-2022-22963.
The second of these disclosures was released on March 29 on Twitter by a researcher, in a since-deleted Tweet, containing a screenshot of the exploit request. Since then, the exploit was tweeted by others and published to GitHub, but again, was quickly removed. The vulnerability, called Spring Framework RCE via Data Binding on JDK 9+, comes in the form of a Java class injection flaw in Spring Core, where the JDK version is >=9.0. If exploited, an attacker can leverage this vulnerability to perform a RCE on the server. This vulnerability was assigned CVE-2022-22965.
Since the disclosures, Imperva Threat Research monitored widespread attempted exploitations of both new zero-day vulnerabilities (~5.5 million and counting as of March 31).
Imperva Delivers Protection from CVE-2022-22963
Imperva Threat Research analysts downloaded and quickly tested the exploit, verifying that both vulnerabilities are blocked out of the box by Imperva Cloud Web Application Firewall (WAF) and Imperva WAF Gateway.
Given the nature of how Imperva Runtime Protection (RASP) works, RCEs caused by CVE-2022-22963 and Spring4Shell are stopped without requiring any code changes or policy updates. If Imperva RASP is currently deployed, applications of all kinds (active, legacy, third-party, APIs, etc.) are protected.
Together, Imperva WAF and Imperva RASP provide defense-in-depth for protecting applications and APIs. Both are industry-leading products that are designed to protect against zero day threats and the OWASP Top 10 application security threats, injections and weaknesses. If you’re looking for protection from CVE-2022-22963, please contact us.
Q: How can I verify that Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) is being blocked?
A: For CWAF customers, Imperva provides attack analytics, which shows customers any attempts to exploit CVE-2022-22963. In addition, existing rules for older vulnerabilities including CVE-2015-1427 protect against CVE-2022-22965.
For WAF Gateway customers, Imperva has signatures for older vulnerabilities, including CVE-2010-1871, CVE-2018-1260, and CVE-2015-1427 that protect against CVE-2022-22963 and CVE-2022-22965
Imperva is also in the process of pushing more specific rules that will have a clear name associated with CVE-2022-22963 and CVE-2022-22965.
Try Imperva for Free
Protect your business for 30 days on Imperva.
