Analytics Story: Spring4Shell CVE-2022-22965

Description

Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.

Why it matters

An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. According to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:

  • Java Development Kit (JDK) 9 or greater
  • Apache Tomcat as the Servlet container
  • Packaged as a WAR
  • spring-webmvc or spring-webflux dependency

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Spring4Shell Payload URL Request Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Web JSP Request via URL Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Web Spring4Shell HTTP Request Class Module Exploit Public-Facing Application, External Remote Services TTP
Web Spring Cloud Function FunctionRouter Exploit Public-Facing Application, External Remote Services TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Splunk Stream HTTP Splunk icon Splunk stream:http stream:http
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References


Source: GitHub | Version: 2