Microsoft Offers Detection Guidance on Spring4Shell Vulnerability

Microsoft on Tuesday offered guidance on the so-called "Spring4Shell" vulnerability in the Spring Framework overseen by VMware, while also indicating that its own services were unaffected.

Spring4Shell is a "zero-day" vulnerability (CVE-2022-22965) disclosed last week that's deemed "Critical" by security researchers. It's also described as a proof-of-concept attack method that just affects non-typical Spring Framework configurations, specifically when Web Application Archive (WAR) packaging is used instead of Java Archive (JAR).

The Spring Framework is the "the most widely used lightweight open-source framework for Java," according to Microsoft. So far, Microsoft researchers have tracked "a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities."

Spring Cloud refers to the Azure Spring Cloud service that was commercially released by Microsoft and VMware back in 2020.

CVE-2022-22965 Bypasses an Old Fix
The analysis in Microsoft's guidance post characterized the CVE-2022-22965 vulnerability as bypassing a fix for a vulnerability that was published almost 12 years ago, namely CVE-2010-1622. The exploit is possible because of a new Java Modules technology that was introduced in Java 9, Microsoft explained.

Vulnerable organizations should address the CVE-2022-22965 vulnerability by updating Spring Framework to "versions 5.3.18 or later or 5.2.19 or later," Microsoft indicated, pointing to this update link. Microsoft also listed some workarounds for organizations that may be unable to perform an update.

Microsoft's guidance post included a "nonmalicious command" that organizations using JDK 9.0 or later can run to detect the vulnerability. If it returns an "HTTP 400 response," then the system is considered vulnerable.

Microsoft Security Tool Detections
Microsoft described detection and hunting capabilities for CVE-2022-22965 in its various security solutions.

Organizations can use the "Weaknesses page" in Microsoft Defender for Endpoint to detect CVE-2022-22965. It'll also send alerts for a "suspicious process executed by a network service."

Microsoft Defender antivirus "version 1.361.1234.0 or later" will detect behaviors associated with attempted CVE-2022-22965 exploits, Microsoft indicated.

Microsoft touted Azure Firewall Premium as providing "enhanced protection from the SpringShell CVE-2022-22965 vulnerability and exploits."

It's also possible to hunt for CVE-2022-22965 exploit attempts using Microsoft 365 Defender. Microsoft offered a query for that purpose in its guidance, but noted that it just detects the "HTTP use of the exploitation and not HTTPS."

Microsoft also released hunting queries to check for CVE-2022-22965 exploit attempts for Microsoft Sentinel users.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube