Try in Splunk Security Cloud

Description

Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Web
  • Last Updated: 2022-04-05
  • Author: Michael Haag, Splunk
  • ID: dcc19913-6918-4ed2-bbba-a6b484c10ef4

Narrative

An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.
According to Spring, the following requirements were included in the vulnerability report, however the post cautions that there may be other ways in which this can be exploited so this may not be a complete list of requirements at this time: \

  • Java Development Kit (JDK) 9 or greater \
  • Apache Tomcat as the Servlet container \
  • Packaged as a WAR \
  • spring-webmvc or spring-webflux dependency \

Detections

Name Technique Type
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Spring4Shell Payload URL Request Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Web JSP Request via URL Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Web Spring Cloud Function FunctionRouter Exploit Public-Facing Application, External Remote Services TTP
Web Spring4Shell HTTP Request Class Module Exploit Public-Facing Application, External Remote Services TTP

Reference

source | version: 1