On March 31st, two Remote Code Execution (RCE) vulnerabilities were discovered in the very popular Spring Framework. These vulnerabilities, CVE-2022-22963, and CVE-2022-22965 targeted the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is often used by many Java-based enterprise software frameworks.
The Spring Framework is an open-source application framework and inversion of the control container for the Java platform. It is widely used in the industry by various programs and systems due to its powerful features and ease of use. Some well-known products such as Spring Boot and Spring Cloud are developed with the Spring Framework.
The Spring Core (spring-core) is the core of the framework that provides powerful features such as inversion of control and dependency injection. It contains the core, beans, context, and Spring Expression Language (SpEL) modules.
The SafeBreach Hacker’s Playbook has been updated with new attacks that include these new TTPs. These attacks are:
- #6951 – Remote exploitation of Spring Cloud Function vulnerability CVE-2022-22963 (WAF)
- #6952 – Remote exploitation of Spring Framework vulnerability CVE-2022-22965 (WAF)
- #6953 – Remote exploitation of Spring Cloud vulnerability CVE-2022-22963 RCE
The vulnerability CVE-2022-22963 targets the Spring Cloud Function. Spring Cloud Function has been adopted by many tech giants including AWS Lambda, Azure, Google Cloud Functions, Apache OpenWhisk, and possibly other “serverless” service providers. The vulnerability allows attackers to trigger remote command execution by injecting SpEL (Spring Expression Language) expressions.
The vulnerability CVE-2022-22965 (SpringShell/Spring4Shell) targets the Spring Framework which is widely used in web system development. This vulnerability allows an attacker RCE and could result in a web shell being installed onto the compromised server that allows further command execution.
What you should do now
As both vulnerabilities target popular Java Spring frameworks and the exploits are straightforward and already available online, attackers could potentially leverage them to target enterprises. We encourage you to run the attacks available in the SafeBreach hacker’s playbook to understand their impact on your organization. Additionally, we would also recommend you review patching instructions available for CVE-2022-22963 and CVE-2022-22965.