Analytics Story: Spring4Shell CVE-2022-22965
Description
Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.
Why it matters
An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration. According to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time:
- Java Development Kit (JDK) 9 or greater
- Apache Tomcat as the Servlet container
- Packaged as a WAR
- spring-webmvc or spring-webflux dependency
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Nginx Access | N/A | nginx:plus:kv |
/var/log/nginx/access.log |
| Splunk Stream HTTP |  Splunk |
stream:http |
stream:http |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
Source: GitHub | Version: 2