Skip to content

Preventing the initial Spring4Shell exploit, a demonstration

By Blake Connell

April 4, 2022

    
Preventing the initial Spring4Shell exploit, a demonstration

The hits keep coming. Spring4Shell is the latest zero-day security issue that takes advantage of a vulnerability in a widely adopted application framework for Java – the Spring Framework. Our own data shows 74% of Java applications use Spring Core. This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+.  So far, the issue has been confirmed for Spring applications packaged as WAR files running on Tomcat servers. CVE-2022-22965 has more specifics. Contrast Security has written an initial blog that has been picked-up widely by other publications for its timely and practical information.

What can be done immediately to shield against this attack? 

While planning to implement the suggested updates to both Spring and Tomcat, deploying Contrast Protect delivers immediate protection against Spring4Shell. Ethan Shimooka, Systems Engineer for Contrast Security, created this timely video highlighting the issue and easy implementation of Contrast Protect to shield against attacks.

In the demonstration video, the first thing Ethan does is confirm the vulnerability using Proof-of-Concept (PoC) code from a public repository. By exploiting the vulnerability in the sample application, Ethan is able to run as Root administrator on the server. 

Next, with a toggle of a button in the Contrast Security console, Ethan can enable “Protect” mode for the server. Contrast Protect uses an embedded Java agent to instrument applications and block classes of attacks including injection attacks. Rerunning the attack on the PoC code results in a server error as Contrast Protect blocks it. Further, information about the block is viewed in the Contrast Security console.  Using Contrast Assess delivers even more detail about the attack including stack traces. 

View the demonstration

It should be noted that customers that previously deployed Contrast Protect were shielded from this zero-day attack from the start. An essential benefit of Contrast Protect is the ability to block many classes of attacks without the need for specific rules to be created and deployed. Contrast will continue to monitor this event, and as more details surface, we’ll provide more information here

Connect with us now to learn how Contrast can protect your Java applications against exploits like Spring4Shell.

Blake Connell

Blake Connell

An experienced enterprise software product marketer, Blake’s work spans many areas including developer platforms, cloud infrastructure, and advanced security analytics. Blake helps drive customer success by ensuring products get successfully delivered into the marketplace that yield immediate benefit. Currently, Blake is focused on Contrast Protect, which provides application runtime protection and observability.