Vulnerabilities / CVEs

Spring4Shell Vulnerability Update

Neosec Team
Written By Neosec Team
1 minute read

Spring4Shell Vulnerability Overview

On 29-March-2022, a zero-day vulnerability in the Spring Java Framework was published by a Chinese Twitter account and referred to as “Spring4Shell.” At first, the vulnerability was confused with another security issue that affects Spring Cloud Functions (CVE-2022-22963).

On 31-March-2022, a CVE was issued for the Spring4Shell vulnerability as CVE-2022-22965.

Both vulnerabilities allow remote code execution (RCE), but the Spring4Shell vulnerability is more severe as it affects the Spring Framework itself.

Impact on Neosec

Neither Spring vulnerabilities (CVE-2022-22963, CVE-2022-22965) affect any Neosec components.

Detecting Spring4Shell With Neosec

Neosec monitors API activity using a myriad of out-of-band methods, which ensures broad coverage with minimal friction.

Neosec Command Injection detection models already detect Spring4Shell and Spring Cloud RCE payloads. In addition, anomaly detection models also trigger alerts on these exploitation attempts.

Spring4Shell Vulnerability Details

Spring4Shell is caused by improper filtering of the Java properties associated with loading classes, allowing an attacker to specify the template’s name and the location of the class from which it should be loaded. As can be seen in multiple instances of publicly shared proof-of-concept code, attackers exploit the vulnerability by sending an HTTP POST request with specific Java properties in order to create a file containing Java bytecode, which allows them to run OS commands on the server.

Protect your APIs with Neosec

  • Neosec monitors API activity out of band, ensuring easy set up, minimal friction and no impact on your production environment
  • Neosec detection models alert on exploitation attempts as well as behavioral anomalies
  • Covering all your APIs is important for discovering all potentially vulnerable systems
  • Neosec recommends that organizations collect detailed activity data for externally-facing APIs. Insufficient logging is an OWASP API Top Ten vulnerability
  • The Neosec API activity-based deployment model enables covering all services without implementing any service-specific code

Subscribe to our newsletter

Click here to subscribe