NFIR Threat Intelligence Report – Indications that vulnerability Spring4Shell (CVE-2022-22965) may be actively exploited


Spring Core Framework is a collection of Java software libraries that can be used
in software programs written in Java. Spring Core is embedded in many Java software.
This vulnerability allows an attacker – without required authentication
can execute unauthorized code in certain circumstances and gain access to the
program or application and its associated information. To be able to abuse this vulnerability, there are currently several technical prerequisites known. These are listed below. It is possible that this list is not currently complete.

As far as clear, the application is vulnerable if it meets the following conditions:

  • Uses Spring Core Framework (up to and including version 5.3.17);
  • Uses spring-webmvc or spring-webflux dependencies (unconfirmed);
  • Uses form bindings with “name=value” data;
  • Does not use an allow list or denylist where the use of specific fields
    is excluded (i.e. “class”, “module” and “classLoader”);
  • Runs on Java version 9 (JDK) or higher.

In short, applications that can be accessed remotely, process user input and Spring
Core Framework (a version lower than 5.3.17) to handle these inputs are possible

If an attacker is able to successfully exploit the vulnerability, it can lead to the execution of unauthorized code on the affected systems. This could potentially result in compromising the server the application is running on. This attack can be executed from the Internet without requiring authentication. From a compromised server, an attacker could potentially gain access to the rest of the network. For this reason, the CVSS vulnerability score was classified as critical (9.8).

At the time of writing, there are multiple indicators that there are active attempts to exploit the Spring4Shell vulnerability - including attempts to exploit the vulnerability by known rogue IP addresses.

Because the vulnerable functionality resides in a popular Java software library, the current scope or impact is not transparent. It is very likely that many used applications are vulnerable. It is not currently known for a number of applications whether they fall into the vulnerable category. As a result, detecting any form of abuse is a complex matter.

However, a scanner has been published that may be able to detect the presence of the Spring Framework on (local) systems. This scanner is published via the code platform GitHub:

For developers of applications using Spring Framework, the following advice applies:
A new version of Spring Framework is available for download at the URL. In addition, it is recommended to at least update to Spring Framework version 5.3.18 (with Spring Boot 2.6.6 or 2.5.12) or Spring Framework 5.2.20.
In doing so, NFIR recommends upgrading as soon as possible and then rolling it out to the affected systems and applications.

At the time when upgrading is not possible, the following two mitigations can be applied:

  1. For organizations that use Spring Framework itself and have specific bindings within applications that use non-standard data types, it is important to specify the allowed fields that the application may use - Learn More
    is available in the Spring documentation: DataBinder (Spring Framework 5.3.18 API)

    2. A second available mitigation (in the case that Tomcat is used as the underlying web server) involves updating Tomcat to version 10.0.20, 9.0.62, and 8.5.78 (or higher)
    with which the attack route via Tomcat no longer functions. More information is available on the Spring website: Spring Framework RCE, Mitigation Alternative

It is important for your organization to take at least the following steps:

  1. Map out which individual vendors you have for on-premises software packages, Software-as-a-Service (SaaS) or other application vendors;
  2. Consult your vendor's website and determine if there are some form of 'dependency lists' available within which you can verify that 'Spring Framework' is being used within
    the application;
  3. Contact your vendors to verify if 'Spring Framework' is used within the applications and which version of Spring Framework is used;
  4. Prepare your organization for the situation when patches need to be executed unexpectedly (possibly outside the regular update timeframes) and apply patches in a controlled manner according to your organization's usual procedure.

Do you have systems where the risk is high, for example, systems with sensitive or special personal data? If so, do you have any possible indications that Java is being used with Spring Framework and updates are not yet available? Then consider temporarily disabling the system.

If your organization is suspected of having been the victim of an attack, it is strongly recommended that you have an investigation carried out into the cause of the attack, the extent to which attackers may have compromised other systems and what information may have been accessed without authorisation.

  1. If possible, disconnect affected systems from the network, but leave them on (because of possible traces such as volatile memory - RAM);
  2. Have the affected systems forensically examined; ensure adequate backups;
  3. Reset your passwords and user data;
  4. Report to the Police;
  5. Consider filing a report with the Personal Data Authority.

Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.

Then call 088 133 0700 and we will do our utmost to help you as quickly as possible.(Learn more about our Incident Response Service.)

Does your organization currently have an incident? Our Computer Emergency Response Teams (CERT) are available to organizations 24/7 to support IT Security Incidents.

Then call 088 133 0700 and we will do our best to help you as soon as possible. Here you will find more information about our Incident Response service.

Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.