Microsoft stated it is presently detecting a “limited amount of attack attempts” across its cloud services that are aimed at the serious Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability.
The Spring Framework is affected by the Spring4Shell vulnerability (CVE-2022-22965), which is defined as the “most extensively used lightweight open-source framework for Java.”
“Microsoft analyses assaults on our cloud infrastructure and services on a frequent basis in order to better defend them. We’ve been detecting a limited amount of attack attempts for Spring Cloud and Spring Core vulnerabilities across our cloud services since the vulnerability was exposed “According to Microsoft’s 365 Defender Threat Intelligence Team.
“We have not noticed any impact on the security of our enterprise services to yet, and we have not encountered any service availability degradation as a result of this issue,” the Microsoft Security Response Center team stated.
In a Monday post, Microsoft said that attackers may use this Spring Core security issue to establish web shells in the Tomcat root directory by submitting specially crafted requests to servers using the Spring Core framework.
This web shell can then be used by threat actors to run commands on the compromised server.
While some have linked the severity level of this security problem to that of Log4Shell, a vulnerability in the widely used Apache Log4j Java-based logging library, this isn’t necessarily the case because Spring4Shell only affects computers with a certain configuration:
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions Apache Tomcat as the Servlet container JDK 9.0 or later
Spring Boot deployments that use an embedded Servlet container or a reactive web server are unaffected when packaged as a regular Java web archive (WAR) and deployed in a standalone Tomcat instance.
Spring-webmvc or spring-webflux are spring-webmvc or spring-webflux dependencies in Tomcat.
Regardless, Microsoft warns that “any system employing JDK 9.0 or later, as well as the Spring Framework or derivative frameworks, should be considered susceptible.”
Admins can use this nonmalicious command to see if their servers are vulnerable to Spring4Shell assaults (an HTTP 400 response indicates that the system is vulnerable to at least one publicly accessible proof of concept (PoC) exploit):
After the US Cybersecurity and Infrastructure Security Agency (CISA) disclosed the vulnerability to its Known Exploited Vulnerabilities catalogue, Microsoft discovered continuing attacks using Spring4Shell vulnerabilities against its cloud infrastructure.
CVE-2022-22965 exploitation efforts have already targeted around 16 percent of all businesses susceptible to Spring4Shell, according to a Check Point study released on Tuesday.
Check Point researchers discovered roughly 37,000 Spring4Shell exploitation attempts during the previous weekend alone, based on internally-sourced telemetry records.
VMware also released security upgrades on Monday to address the Spring4Shell vulnerability, which affects several of its cloud computing and virtualization products.