{"id":11414,"date":"2022-04-01T11:29:14","date_gmt":"2022-04-01T10:29:14","guid":{"rendered":"https:\/\/42crdev.prexihost.com\/?p=11414"},"modified":"2022-09-24T14:04:54","modified_gmt":"2022-09-24T13:04:54","slug":"lessons-learned-from-the-spring4shell-vulnerability","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/lessons-learned-from-the-spring4shell-vulnerability\/","title":{"rendered":"Lessons learned from the Spring4Shell vulnerability"},"content":{"rendered":"<p>Recently we published an article on the <a href=\"https:\/\/42crunch.com\/protecting-your-apis-against-log4shell-with-42crunch\/\" target=\"_blank\" rel=\"noopener\">log4shell vulnerability<\/a> targeting <i>log4j<\/i>, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it\u2019s time for the <i>Spring4Shell<\/i> (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can we learn from this vulnerability?<\/p>\n<h4>Diving into <i>Spring4Shell<\/i><\/h4>\n<p>The Spring team has published <a href=\"https:\/\/spring.io\/blog\/2022\/03\/31\/spring-framework-rce-early-announcement\" target=\"_blank\" rel=\"noopener\">an article<\/a> explaining the preconditions necessary for exploitation, and a workaround to prevent exploitation when upgrading the framework to 5.3.18 or 5.2.20 is not an option.<\/p>\n<p>The conditions they list for exploitation are the following :<\/p>\n<ul>\n<li>JDK 9 or higher<\/li>\n<li>Apache Tomcat as the Servlet container<\/li>\n<li>Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)<\/li>\n<li>spring-webmvc or spring-webflux dependency<\/li>\n<li>Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions<\/li>\n<\/ul>\n<p>So the first thing to notice is that this attack relies a lot on the execution environment. But what is this vulnerability about? Let\u2019s have a look at the workaround the Spring team give:<\/p>\n<div class=\"code-toolbar\">\n<pre class=\" language-java\"><code class=\" language-java\">&lt;span class=&quot;token annotation punctuation&quot;&gt;@ControllerAdvice&lt;\/span&gt;\n&lt;span class=&quot;token annotation punctuation&quot;&gt;@Order&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;(&lt;\/span&gt;&lt;span class=&quot;token class-name&quot;&gt;Ordered&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;.&lt;\/span&gt;LOWEST_PRECEDENCE&lt;span class=&quot;token punctuation&quot;&gt;)&lt;\/span&gt;\n&lt;span class=&quot;token keyword&quot;&gt;public&lt;\/span&gt; &lt;span class=&quot;token keyword&quot;&gt;class&lt;\/span&gt; &lt;span class=&quot;token class-name&quot;&gt;BinderControllerAdvice&lt;\/span&gt; &lt;span class=&quot;token punctuation&quot;&gt;{&lt;\/span&gt;\n    &lt;span class=&quot;token annotation punctuation&quot;&gt;@InitBinder&lt;\/span&gt;\n    &lt;span class=&quot;token keyword&quot;&gt;public&lt;\/span&gt; &lt;span class=&quot;token keyword&quot;&gt;void&lt;\/span&gt; &lt;span class=&quot;token function&quot;&gt;setAllowedFields&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;(&lt;\/span&gt;&lt;span class=&quot;token class-name&quot;&gt;WebDataBinder&lt;\/span&gt; dataBinder&lt;span class=&quot;token punctuation&quot;&gt;)&lt;\/span&gt; &lt;span class=&quot;token punctuation&quot;&gt;{&lt;\/span&gt;\n         &lt;span class=&quot;token class-name&quot;&gt;String&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;[&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;]&lt;\/span&gt; denylist &lt;span class=&quot;token operator&quot;&gt;=&lt;\/span&gt; &lt;span class=&quot;token keyword&quot;&gt;new&lt;\/span&gt; &lt;span class=&quot;token class-name&quot;&gt;String&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;[&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;]&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;{&lt;\/span&gt;&lt;span class=&quot;token string&quot;&gt;&quot;class.*&quot;&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;,&lt;\/span&gt; &lt;span class=&quot;token string&quot;&gt;&quot;Class.*&quot;&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;,&lt;\/span&gt; &lt;span class=&quot;token string&quot;&gt;&quot;*.class.*&quot;&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;,&lt;\/span&gt; &lt;span class=&quot;token string&quot;&gt;&quot;*.Class.*&quot;&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;}&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;;&lt;\/span&gt;\n         dataBinder&lt;span class=&quot;token punctuation&quot;&gt;.&lt;\/span&gt;&lt;span class=&quot;token function&quot;&gt;setDisallowedFields&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;(&lt;\/span&gt;denylist&lt;span class=&quot;token punctuation&quot;&gt;)&lt;\/span&gt;&lt;span class=&quot;token punctuation&quot;&gt;;&lt;\/span&gt;\n    &lt;span class=&quot;token punctuation&quot;&gt;}&lt;\/span&gt;\n&lt;span class=&quot;token punctuation&quot;&gt;}&lt;\/span&gt;\n<\/code><\/pre>\n<div class=\"toolbar\">\n<div class=\"toolbar-item\"><\/div>\n<\/div>\n<\/div>\n<p>It seems the field names are the attack vector. Indeed this code snippet is a signature-based attack detection, in which the field names received by the Spring framework that look like \u00ab class.* \u00bb, \u00ab Class.* \u00bb, \u00ab *.class.* \u00bb, or \u00ab *.Class.* \u00bb are rejected. What is harmful about fields being named like this?<\/p>\n<p>It all boils down to the DataBinder. A DataBinder is an object that is used to set properties onto a target object. Spring uses a WebDataBinder, a child class of DataBinder, that binds web request parameters to JavaBean objects. Now, if we look at the <a href=\"https:\/\/docs.spring.io\/spring-framework\/docs\/current\/javadoc-api\/org\/springframework\/validation\/DataBinder.html\" target=\"_blank\" rel=\"noopener\">Spring documentation for the DataBinder object<\/a>:<\/p>\n<p><cite>\u201c..Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder..\u201d<\/cite><\/p>\n<p>It all comes together \u2014 the vulnerability is about modifying the name of a field used in a request to point to a specific class name, In order to modify properties of this class. In the case of this specific <i>spring4shell<\/i> exploit, the mechanism is the same as the previous CVE-2014-0094. Using crafted field names that designate the Tomcat logger class \u2013 hence, the need for a Tomcat environment \u2013 an attacker is able to modify the settings of the class. When something is logged, a JSP file is written on the root directory of the application instead, allowing code execution.<\/p>\n<p>This attack only works because contrary to what is \u201chighly recommended\u201d by the Spring documentation for DataBinders, the field names received by the WebDataBinder from the client are not constrained to a finite list of allowed names.<\/p>\n<h4>Conclusion<\/h4>\n<p>At 42Crunch we strongly agree with the DataBinder documentation: security should be implemented at design time, by strictly defining what is allowed and denying everything else. If the field names were restricted to only listed allowed names, this attack would never work.<\/p>\n<p>This is what a positive security model is about and this is exactly what 42Crunch enables you to implement. Our API Security audit would have asked to define the allowed field names. Our API Conformance Scan service would then have made sure that only the defined field names were allowed by the API implementation.<\/p>\n<p>Finally, to protect the API before it even reaches the Spring framework, our API firewall would have denied any request with a field name not explicitly allowed. If you want to read more about how this works when dealing with a vulnerability, you can read our <a href=\"https:\/\/42crunch.com\/protecting-your-apis-against-log4shell-with-42crunch\/\">previous article on log4shell<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently we published an article on the log4shell vulnerability targeting log4j, in which we explained how APIs can be protected against injection attacks with a positive security model, and how 42Crunch easily enables such a model. Now, it\u2019s time for the Spring4Shell (CVE-2022-22965) vulnerability, targeting the Spring framework, commonly used to build APIs. What can [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":11521,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"API Security Vulnerability - Lessons learned from Spring4Shell","_seopress_titles_desc":"Lessons from the Spring4Shell (CVE-2022-22965) API vulnerability and how 42Crunch API Security Platform can protect against it.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[16,15],"class_list":["post-11414","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security-training","tag-api-vulnerabilities"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/11414"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=11414"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/11414\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/11521"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=11414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=11414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=11414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}