start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
  • Contact us
    • start portlet menu bar end portlet menu bar
    Close
    Select Page
    HCLSoftware
      | April 4, 2022

    SpringShell Vulnerability Detected

    Rob Cuddy
    Rob Cuddy
    Global Application Security Evangelist
    Cody Travis
    Cody Travis Co-Author
    Application Security Technical Advisor
    SpringShell Vulnerability Detected

    Two new Spring Framework vulnerabilities have surfaced over this last week, and both are considered critical.

    The first of these is an unauthenticated Remote Code Execution (RCE) issue in the Spring Cloud Function and has been listed as a vulnerability with an identifier of CVE-2022-22963. The other is also an unauthenticated RCE issue, but this is in the core Spring Framework and with the identifier CVE-2022-22965. There are patches available for both issues as of March 31.

    CVE-2022-22965 also known as Spring4Shell or SpringShell

    Root cause analysis has determined that the issue is due to a function in the Spring Framework exposing the class object when parameters are bound. This parameter binding allows HTTP request parameters to be bound to application-level objects.

    With the class object exposed, this leads to remote code execution by allowing attackers to manipulate the class object by simply adding URL parameters to an HTTP request. Proof of Concept exploits involve dropping a webshell on the Tomcat server by altering the log path and writing the webshell contents to a JSP file. Attackers can then issue arbitrary commands to be executed on the server.  Since the Proof-of-concept exploit has been published, active exploitation has been observed in the wild.

    CVE-2022-22965 has a severity of “Critical”, and therefore, a top priority of developers that use the Spring Framework should be upgrading to 5.3.18 or 5.2.20.

    If you are not sure if your application is at risk, then the fastest way to identify if an application is vulnerable is through Software Composition Analysis techniques (SCA).

    SCA will determine if an application contains the vulnerable version of the Spring Framework, as well as any other publicly known vulnerabilities.

    If you need a tool for this kind of scanning, HCL AppScan on Cloud is available and contains capabilities for identifying these and other vulnerabilities.

    Figure 1 below illustrates highlighting CVE-2022-22965 found in a spring-core jar file.

     

    CVE-2022-22965 found in a spring-core jar file

    Figure 2 below shows part of an Open-Source Report containing specific vulnerability findings.

     

    Open-Source Report containing specific vulnerability findings

     

    Current customers that own a license for OSA can select to scan for Open Source and third-party libraries.  If you are not a current AppScan on Cloud customer, these SCA capabilities are also available in our free 30 day trial, as well.

     

    Comment wrap
    Rob Cuddy
    Rob Cuddy
    Global Application Security Evangelist
    Rob is currently a Global Application Security Evangelist for HCL providing thought leadership for the application security space, particularly as it relates to DevOps and DevSecOps initiatives. Prior to this role, Rob was with IBM for 14 years with roles in Application Security Evangelism, Worldwide Sales Enablement, Tiger Teams and Field Services for the Management and Platform Segment offerings in IBM Cloud. Rob has worked with clients all over the world to help address their challenges in ways that bring a positive impact to the business bottom line. Rob has spoken at numerous events and conferences, including Evanta CISO Summits, THINK, InterConnect, DevloperConnect, IBM Top Guns and many customer events. Prior to IBM, Rob spent 13 years with 5 different companies working as a configuration management specialist with an emphasis on Rational tooling. Rob graduated from the University of Southern California with a degree in Aerospace Engineering and is an avid fan of college football. When not at work, Rob enjoys spending time with his family, serving with his church, running and cycling. You can connect with Rob through the Application Paranoid podcast, via LinkedIn, Facebook and Instagram but the best way is by joining the “Robservatory” on twitter using the handle @Robservatory.
    Read more
    Cody Travis
    Cody TravisCo-Author
    Application Security Technical Advisor
    Cody is currently an Application Security Technical Advisor for HCL providing industry best practices to clients around the world regarding application security in the SDLC. Cody has previously worked at IBM on the North America AppScan technical team working in a presales and consulting role. Cody has over 10 years experience with a background in network and application penetration testing as well as working with enterprise application security tools. Cody graduated from the University of Memphis with a degree in Computer Science and enjoys hacking, gaming, travel, and spending time with friends and family. The best way to reach Cody is through LinkedIn.
    Read more

    Topics in this article:

    AppScanAppScan on Cloud

    Start a Conversation with Us

    We’re here to help you find the right solutions and support you in achieving your business goals.

    Connect with us

    Submit a Comment

    Your email address will not be published. Required fields are marked *

    * HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


    appscan
      |  December 20, 2023
    Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
    Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
    Uffe Sorensen
    Itay Levin
    Design Lead for HCL AppScan
    appscan
      |  December 5, 2023
    HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
    HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
    Uffe Sorensen
    Adam Cave
    Product Marketing Manager, HCL AppScan
    appscan
      |  August 2, 2023
    Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
    HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.
    Uffe Sorensen
    Kamal Kumar Chandrashekar
    Senior Product Manager, HCL AppScan
    start portlet menu bar end portlet menu bar