Spring4Shell: the application of patches is slipping, hackers take advantage of it

Many companies have mobilized their cybersecurity team after the Spring4Shell zero-day flaw was published last week. Capable of executing code remotely, it touches the Spring framework, widely used in the development of Java applications. Patches have been released, but updating these instances by developers is at a snail’s pace.

According to Sonatype, the publisher that manages Maven Central, the largest repository of Java components and libraries, 80% of Spring downloads since March 31, when the flaw was confirmed, still concern vulnerable versions of the framework. If developers are slow to update these instances, this phenomenon must also be put into perspective. Indeed, for known Spring4Shell exploits to work, applications must meet several conditions that are typical of default configurations. Similarly, mitigation strategies can also be applied without upgrading the framework itself. Several suppliers have announced patches for their solutions or services, this is the case for example of VMware with several versions of Tanzu affected.

Pirates on the move

Meanwhile, cybercriminals’ use of the flaw continues to wane and is even gaining momentum. Akamai security researchers have observed attacks with variants using both GET and POST requests, with the GET request being more efficient because it allows attackers to exploit the vulnerability with a single request to the server. Additionally, a variant of the exploit uses a code obfuscation technique intended to evade input filtering or detection rules enforced by web application firewalls (WAFs). Deutsche Telekom’s CERT has reported that exploit attempts have affected its honey pot servers since March 31. For its part, Microsoft has observed weak activity on its cloud services.

The publisher CheckPoint shows that the activity of cybercriminals remains significant. One in six organizations worldwide that are affected by the Spring4Shell zero-day flaw have already been targeted by hackers, he said in a blog post. Just over the last weekend, no less than 37,000 Spring4Shell attacks were detected. The most affected sector is software publishers and the most popular region for attacks is Europe.

Detection tools exist

Several security researchers and companies have released free tools that can help detect vulnerable applications locally or remotely. The JFrog cybersecurity team has released a Python scanner that can find possible instances of data binding in WAR and JAR files. Expert Jan Schaumann has also published a similar filesystem scanner as a Linux shell script, and specialist Hilko Bengen has published a scanner written in Go.

Microsoft points out that an online application can be tested remotely by running the following query using the curl command-line tool:

curl host:port/path?class.module.classLoader.URLs%5B0%5D=0

Researcher Florian Roth has published YARA rules that can be used by security teams to check a system for a potentially successful compromise via Spring4Shell. The rules will detect malicious backdoor JSP files dropped by known exploits. Finally, the Carnegie Mellon University CERT Coordination Center maintains a list of vendors that have confirmed that they have vulnerable products.