Date: 31 March 2022
This Alert is intended for IT professionals and managers of notified organizations.
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
On 30 March 2022, security researchers disclosed proof-of-concept exploitation code online for a vulnerability in the Java Spring Framework on Java Development Kit (JDK) versions 9 and up. The existence of the vulnerability and potential for exploitation has since been independently confirmed Footnote 1 Footnote 2Footnote 3.
Spring subsequently published a blog article to address the vulnerability, and has released patches, workarounds and methods to identify the vulnerability Footnote 4.
Spring published updates Footnote 5 to address vulnerabilities in Spring Cloud Function on 29 March, but it should be noted that these vulnerabilities are distinct from those in the Spring Core Framework.
On 31 March 2022, developers of the Spring Core framework reported a critical remote code execution (RCE) vulnerability that “impacts Spring MVC and Spring WebFlux applications running on the Java Development Kit (JDK) 9+” Footnote 4. This vulnerability is known in the open-source security community as Spring4Shell or SpringShell. Spring states that “the specific exploit requires the application to be packaged as a Web application ARchive (WAR) and deployed to Apache Tomcat” Footnote 1. However, as it is possible that new methods for exploiting this vulnerability will emerge, patching affected applications is highly recommended.
At the time of reporting, applications are only vulnerable under certain conditions, and not all deployments will be affected by this vulnerability Footnote 4.
Security researchers state that in order to be vulnerable, a Spring application must “make use of Spring Beans, use Spring Parameter Binding, and a Spring Parameter Binding must be configured to use a non-basic parameter type, such as POJOs (Plain Old Java Objects)” Footnote 1. It is strongly recommended to continue to monitor the Spring blog on this topic for updates as the situation is evolving Footnote 4.
In open-source discourse on this topic, the vulnerability described in this Alert was often confused with a recently patched vulnerability in Spring Cloud (CVE-2022-22963) Footnote 5. It should be noted that these two vulnerabilities are not related, but both should be patched or mitigated in a timely manner.
For organizations who have deployed these products, the Cyber Centre recommends the following mitigations to protect applications and systems affected by these vulnerabilities:
- Continue to monitor the Spring blog posts on this issue, as the situation is still developing Footnote 4Footnote 5
- Patch affected applications with Spring Framework 5.3.18 or 5.2.20 and Spring Cloud 3.17, 3.2.3, which address SpringShell and CVE-2022-22963, respectively
- If patching is not immediately possible, follow all suggested vendor workarounds Footnote 4Footnote 5
- Use a Web Application Firewall (WAF) wherever possible
- Consider implementing workarounds and YARA rules shared by security researchers Footnote 1Footnote 2Footnote 3Footnote 6 if patching is not possible