The hits keep coming. Spring4Shell is the latest zero-day security issue that takes advantage of a vulnerability in a widely adopted application framework for Java – the Spring Framework. Our own data shows 74% of Java applications use Spring Core. This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. So far, the issue has been confirmed for Spring applications packaged as WAR files running on Tomcat servers. CVE-2022-22965 has more specifics. Contrast Security has written an initial blog that has been picked-up widely by other publications for its timely and practical information.
What can be done immediately to shield against this attack?
While planning to implement the suggested updates to both Spring and Tomcat, deploying Contrast Protect delivers immediate protection against Spring4Shell. Ethan Shimooka, Systems Engineer for Contrast Security, created this timely video highlighting the issue and easy implementation of Contrast Protect to shield against attacks.
In the demonstration video, the first thing Ethan does is confirm the vulnerability using Proof-of-Concept (PoC) code from a public repository. By exploiting the vulnerability in the sample application, Ethan is able to run as Root administrator on the server.
Next, with a toggle of a button in the Contrast Security console, Ethan can enable “Protect” mode for the server. Contrast Protect uses an embedded Java agent to instrument applications and block classes of attacks including injection attacks. Rerunning the attack on the PoC code results in a server error as Contrast Protect blocks it. Further, information about the block is viewed in the Contrast Security console. Using Contrast Assess delivers even more detail about the attack including stack traces.
View the demonstration
It should be noted that customers that previously deployed Contrast Protect were shielded from this zero-day attack from the start. An essential benefit of Contrast Protect is the ability to block many classes of attacks without the need for specific rules to be created and deployed. Contrast will continue to monitor this event, and as more details surface, we’ll provide more information here.
Connect with us now to learn how Contrast can protect your Java applications against exploits like Spring4Shell.