NAVANEM
CVE-2022-22965⚡ exploited in the wild

Spring4Shell, RCE in Spring Framework via data binding

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar with the default packaging, it is not vulnerable to the exploit demonstrated publicly, but the underlying flaw is more general.

Overview

CVE-2022-22965, dubbed "Spring4Shell," is a critical remote code execution (RCE) vulnerability in the Spring Framework affecting applications running on JDK 9 or later. The vulnerability allows unauthenticated attackers to execute arbitrary code when an application uses data binding to map untrusted request parameters onto Java beans. The flaw gained significant attention arriving just four months after the Log4Shell incident, with public proof-of-concept exploits emerging within hours of disclosure.

Technical Details

The vulnerability exists in Spring MVC and Spring WebFlux applications that use the common @ModelAttribute pattern for data binding. When binding untrusted request parameters to Java beans, Spring uses reflection to set bean fields by name.

On JDK 9+, the bean's class property exposes a Class object that provides access to module and classLoader properties. An attacker can chain these properties together in a traversal pattern:

class.module.classLoader.resources.context.parent.pipeline.first.pattern

This chain allows an attacker to reach Tomcat's AccessLogValve.pattern field and manipulate it to write a JSP webshell to disk. The canonical public exploit specifically targets this mechanism to deploy malicious JSP files.

The demonstrated exploit requires:

  • JDK 9 or higher
  • Spring Framework application
  • Deployment as a WAR file on Apache Tomcat
  • A controller endpoint using data binding

While Spring Boot executable JAR deployments with default packaging are not vulnerable to the public exploit, the underlying class-traversal flaw is more general and other exploitation gadgets may exist.

Impact

Successful exploitation allows unauthenticated remote code execution on vulnerable systems. This is particularly concerning for:

  • Internal customer applications (HR portals, custom CRMs, legacy tools) deployed as WAR-on-Tomcat
  • Appliance products that bundle Tomcat runtime with older Spring versions
  • Any Spring MVC/WebFlux application meeting the vulnerable configuration criteria

Mitigation

  1. Upgrade Spring Framework to version 5.3.18+ or 5.2.20+ immediately
  2. Inventory all WAR-on-Tomcat applications that use Spring's DispatcherServlet
  3. Consider upgrading to JDK 8 as a temporary workaround if patching is delayed (not recommended long-term)

Detection

  1. Search for tomcatwar.jsp files in Tomcat work and webapps directories, this is the canonical webshell name from public PoCs
  2. Look for unexpected .jsp files in work\Catalina\localhost\ROOT\ with recent modification timestamps
  3. Monitor for unusual HTTP requests containing class loader traversal patterns in parameters
  4. Review access logs for requests targeting controller endpoints with suspicious parameter names containing class.module.classLoader