SANS spots Spring4shell vulnerability exploitation attempts

After debate around its seriousness among security researchers, the Spring4Shell remote code execution vulnerability in the Spring framework for Java is now rated as criticial, with a 9.8 out of 10 score and patches released.

Security researchers at the SANS Internet Storm Centre say they have detected attempts at launching webshells on their Apache Tomcat honey pot systems this week, indicating attackers are scanning for vulnerable applications to exploit.

A published exploit tries to write a file to a vulnerabile application's root directory, containing code to create a simple webshell accessible from a browser.

When executed, the exploit will append and send to the attacker any access logs.

As of now, it is not clear to tha SANS researchers that the hacking attempts would be successful.

"Please note that we are not sure if these attempts actually work.

"They are detected by honeypots that are not actually vulnerable to these exploits," Johannes Ullrich, SANS dean of research wrote.

SANS ISC thinks the exploits for the Spring4Shell vulnerability will evolve and spready quickly, targeting some popular applications.

The Spring project has issued an advisory for the bug, and released patches for it.

Several requirements are needed to exploit the bug, the Spring project says.

Java Development Kit version 9 or higher is required, with the Apache Tomcat running as a servlet container.

Spring frameworks 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older are also required to trigger the vulnerability.

Vulnerable code also has to be packaged as a compressed WAR web application archive, with the spring-webmvc and spring-webflux dependencies.

Applications deployed deployed as Java archives are not vulnerable, but the Spring project warns that the nature of the flaw is more general and there could be other ways to exploit it.

The United States Computer Emergency Response Team at the Carnegie Mellon University is also warning users that Spring4Shell could allow remote code execution.

The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case. pic.twitter.com/UVSQBibwCR

— Will Dormann (@wdormann) March 31, 2022

Users are advised to upgrade to Spring Framework 5.3.18 and 5.2.20, and Spring Boot 2.6.6 and 2.5.12 with fixes.