Written by Seren Corbett - one of the members of the #TeamAwen tech team.
Photo by xiaokang Zhang on Unsplash
Just a few months after the Log4j Java library was discovered to have a vulnerability (called Log4Shell) that not only affected many software products but also reportedly affected several critical OT devices; a new vulnerability affecting Java’s most popular framework Spring has been discovered. On Thursday 31st March 2022, VMware disclosed a new vulnerability [CVE-2022-22965] named Spring4Shell. This vulnerability is a Remote Code Execution (RCE) vulnerability meaning that in the correct environment, an attacker can create and execute malicious code in a remote file system. This vulnerability could have serious consequences in an Operational Technology (OT) environment, such as those found in the electricity or manufacturing sectors for example. For a software vendor to mitigate this vulnerability the Spring framework should be updated to the latest version. Several OT vendors are investigating whether this vulnerability affects their devices including Cisco and VMware.
What is Spring?
Spring is an open-source Java framework, or eco-system that allows for the development of Java applications, be that web applications, batch processing and distributed systems among other things. As previously mentioned, it is the most widely used Java framework and is being used by the likes of popular streaming service Netflix. Companies such as Amazon, Google and Microsoft are credited with contributing to the open-source code. (https://spring.io/)
The idea behind Spring is to make various software development processes easier, quicker and more convenient, through frameworks such as Spring MVC and Spring WebFlux. Web applications built using these frameworks and running on JDK 9+ are vulnerable to the Spring4Shell exploit, if they are running on Apache Tomcat as a Java Web Archive (WAR) file.
How severe is Spring4Shell?
Spring4Shell has a CVSSv3 score of 9.8/10, meaning it is regarded as a CRITICAL vulnerability. The CVSSv3 vector for the vulnerability is as follows:
As demonstrated by the colours in this diagram, Spring4Shell is potentially one of the most devastating types of vulnerabilities.
Attack Vector: Network. As long as the attacker is able to connect to a web server running the Spring framework, the server can be compromised through a remote connection. Vulnerabilities with Network as the Attack Vector are the most threatening as it is not necessary to be on the same network to trigger an attack. These vulnerabilities differ from an adjacent access attack, where the attacker would require access onto the same shared physical, logical network, making these attacks harder to execute.
Attack Complexity: Low. This is self-explanatory. Due to the access needed being a remote connection, without the complexity of credentials and the like, this attack is straightforward.
Privileges Required: None. The attacker can carry out the attack without authorisation.
User Interaction: None. This vulnerability does not require access to a user account and therefore, does not require user interaction. An example of an attack that did require user interaction is the contamination of Florida water supply in February 2021.. In this attack, the hacker had to gain access to an employee’s computer (remotely) in order to take control of the critical infrastructure system.
Scope: Unchanged. This means that attacker is restricted to manipulating resources within a particular security authority.
Confidentiality: High. Exploiting the Spring4Shell vulnerability will give the attacker access to the web server on which the Spring framework is used, and its file system, meaning confidentiality is completely compromised.
Integrity: High. The integrity score for exploiting this vulnerability is High as the attacker can gain access to a file system, modifying files and manipulating the file system to inject malicious executables.
Availability: High. When the availability score for a vulnerability is high, this means that the attacker can gain control of the resources on the affected device/network and deny access to those who would ordinarily have authorised access. An example of such an attack is the WannaCry ransomware incident where many critical systems including that of the NHS network were affected. In this attack, files were encrypted, and the attackers demanded large sums of money in order to retrieve the affected files, therefore denying access. In 2017, WannaCry emerged and was one of the largest cyber-attacks the world has ever seen affecting hundreds of thousands of devices (most of which resided on critical infrastructure networks) across 150 countries.
In short: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Should industrial sectors be concerned about Spring4Shell?
Spring4Shell will need to be mitigated by the software developers who are using the Spring software library. Some of these software developers could be developing software for cyber-physical systems such as those Operational Technologies (OT) and Industrial Control Systems (ICS) found within the industrial sectors.
The truth is that many OT/ICS vendors are still investigating whether this is an additional vulnerability within their own systems. With our product Dot our database of vulnerabilities includes the Spring4Shell vulnerability and the devices associated with that vulnerability. We keep our database up-to-date with all known vulnerabilities. This means that Dot will enable you to see what needs to happen to which devices in order to remove the vulnerability and/or reduce the risk. If this is of interest, or if you would like a no-obligation no-hard-sell informal chat, then please do contact us today and we will be happy to help you.