{"id":222,"date":"2022-04-06T22:47:00","date_gmt":"2022-04-06T22:47:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=222"},"modified":"2024-01-08T20:55:34","modified_gmt":"2024-01-08T20:55:34","slug":"detecting-and-validating-spring4shell-vulnerability-cve-2022-22965","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/","title":{"rendered":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What is the SpringShell?<\/h2>\n\n\n\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on &#8220;evidence of active exploitation.&#8221;<\/p>\n\n\n\n<p>The critical severity flaw was assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed &#8220;SpringShell&#8221;.<\/p>\n\n\n\n<p>The Spring framework provides a comprehensive set of extensions and third-party libraries that let developers build applications.&nbsp; The Spring Framework is described as the &#8220;most widely used lightweight open-source framework for Java.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How is the vulnerability exposed?<\/h2>\n\n\n\n<p>The Spring4Shell or SpringShell vulnerability affects Spring MVC, and Spring WebFlux applications running Java Development Kit (JDK) version 9 and higher, and Apache Tomcat version 9 and higher may be vulnerable to remote code execution (RCE) through data-binding. The application can run Tomcat as a WAR deployment. Applications deployed as a Spring Boot executable jar are not vulnerable.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Impact<\/h2>\n\n\n\n<p>Proof of Concepts exists suggesting that the vulnerability is exploitable and high risk.<\/p>\n\n\n\n<p>Impacted systems have the following traits:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Running JDK 9.0 or later.<\/li>\n\n\n\n<li>Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions<\/li>\n\n\n\n<li>Apache Tomcat as the Servlet container<\/li>\n\n\n\n<li>Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance;&nbsp;<\/li>\n\n\n\n<li>Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.<\/li>\n\n\n\n<li>Tomcat has spring-web MVC or spring-webflux dependencies.<\/li>\n\n\n\n<li>Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.<\/li>\n<\/ul>\n\n\n\n<p>Also please note that there is a specific configuration (not default)&nbsp; needed for this vulnerability to be exploited.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detection and Validation<\/h2>\n\n\n\n<p>It is possible to detect exposed Spring Boot servers instances using a favicon hash.<\/p>\n\n\n\n<p>An easy and safe method exists for the identified Spring Boot instances to validate if the instance is exploitable using a simple HTTP request.<\/p>\n\n\n\n<p>More information is available&nbsp;<a href=\"https:\/\/www.tarlogic.com\/blog\/spring4shell-vulnerability-cve-2022-22965-and-cve-2022-22963\/\" target=\"_blank\" rel=\"noreferrer noopener\">here.<\/a><\/p>\n\n\n\n<p>Another detection option is the Nueculi Community Vulnerability Scanner which has a template for detecting the vulnerability, and the template can be found&nbsp;<a href=\"https:\/\/github.com\/projectdiscovery\/nuclei-templates\/tree\/master\/vulnerabilities\/springboot\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.&nbsp;<\/p>\n\n\n\n<p>CyCognito platform automates the discovery of Spring Boot servers and validates if they are exploitable.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What can CyCognito customers do?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To receive a list of assets in your environment that may be affected, contact CyCognito\u2019s\u00a0<a href=\"\/contact\/\">Customer Success Team<\/a><\/li>\n\n\n\n<li>Head to the Advisories dashboard and load the SpringShell advisory.<\/li>\n<\/ul>\n\n\n\n<p><strong>Stay tuned!&nbsp;<\/strong>CyCognito will continue updating you as more news about this vulnerability unfolds.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[8,90,89,81],"class_list":["post-222","post","type-post","status-publish","format-standard","hentry","category-research","tag-cisa","tag-java-development-kit-jdk","tag-spring-boot","tag-spring4shell"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog\" \/>\n<meta property=\"og:description\" content=\"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-06T22:47:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-08T20:55:34+00:00\" \/>\n<meta name=\"author\" content=\"Alex Zaslavsky\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Zaslavsky\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\"},\"author\":{\"name\":\"Alex Zaslavsky\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953\"},\"headline\":\"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965\",\"datePublished\":\"2022-04-06T22:47:00+00:00\",\"dateModified\":\"2024-01-08T20:55:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\"},\"wordCount\":408,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"keywords\":[\"CISA\",\"Java Development Kit (JDK)\",\"Spring Boot\",\"Spring4Shell\"],\"articleSection\":[\"Research\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\",\"name\":\"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"datePublished\":\"2022-04-06T22:47:00+00:00\",\"dateModified\":\"2024-01-08T20:55:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953\",\"name\":\"Alex Zaslavsky\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g\",\"caption\":\"Alex Zaslavsky\"},\"description\":\"Was Sr. Product Manager at CyCognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/alex-zaslavsky\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/","og_locale":"en_US","og_type":"article","og_title":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog","og_description":"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.","og_url":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/","og_site_name":"CyCognito Blog","article_published_time":"2022-04-06T22:47:00+00:00","article_modified_time":"2024-01-08T20:55:34+00:00","author":"Alex Zaslavsky","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Alex Zaslavsky","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/"},"author":{"name":"Alex Zaslavsky","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953"},"headline":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965","datePublished":"2022-04-06T22:47:00+00:00","dateModified":"2024-01-08T20:55:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/"},"wordCount":408,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"keywords":["CISA","Java Development Kit (JDK)","Spring Boot","Spring4Shell"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/","url":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/","name":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965 | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"datePublished":"2022-04-06T22:47:00+00:00","dateModified":"2024-01-08T20:55:34+00:00","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/detecting-and-validating-spring4shell-vulnerability-cve-2022-22965\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Detecting and Validating Spring4Shell Vulnerability: CVE-2022-22965"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/a66518132b1efe6e5d21fd429128a953","name":"Alex Zaslavsky","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d14b8d99179745962f3db9e46d2ce6c4?s=96&d=mm&r=g","caption":"Alex Zaslavsky"},"description":"Was Sr. Product Manager at CyCognito","url":"https:\/\/www.cycognito.com\/blog\/author\/alex-zaslavsky\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=222"}],"version-history":[{"count":2,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/222\/revisions"}],"predecessor-version":[{"id":505,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/222\/revisions\/505"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}