QID 150495
Date Published: 2022-04-05
QID 150495: Spring Core Remote Code Execution (RCE) Vulnerability CVE-2022-22965 (Spring4Shell)
The vulnerability exists in the Spring core with the JDK version greater or equal to 9.0. (If the version number is less than or equal to 8, it is not affected by the vulnerability.)
Triggering this vulnerability requires use of the Spring MVC and Spring WebFlux applications running on JDK9 and above.
Vulnerable Versions:
Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older are vulnerable.
Spring Boot versions prior to 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18.
QID Detection Logic: (Unauthenticated)
The QID sends a HTTP request with specially crafted payload, where vulnerable servers will make a DNS query that will trigger Qualys Periscope detection mechanism.
Caution: While the detection is accurate to discover Spring4Shell vulnerability, in some cases there could be potential side effect on the application's logging capabilities.
Successful exploitation of the vulnerability may result in arbitrary remote code execution
On network protection devices such as WAF, implement rule filtering for strings such as "class.*", "Class.*", "*.class.*", and "*.Class.*" according to the actual traffic situation of deployed services. After filtering the rules, test the business operation to avoid additional impact.
- Spring Framework RCE -
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
CVEs related to QID 150495
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Spring Framework RCE |
spring.io/blog/2022/03/31/spring-framework-rce-early-announcement |