Using Contrast Log Enhancers to help track down vulnerable Spring4Shell applications

Security teams that manage many applications face challenges in mitigating a vulnerability like Spring4Shell. While Contrast Assess and Contrast SCA can show a user what applications include the vulnerable Spring libraries, these components are ubiquitous - a large organization could have hundreds of potentially vulnerable applications. It makes sense that a security team would want to prioritize applications that are truly vulnerable when choosing how to utilize the limited resources they have to fix the problem. The good news is that Contrast Protect can help security professionals focus on the applications that are most likely to be affected.

One question that is particularly difficult for a security team to answer is “which applications actually use auto-binding?”. An application might use a vulnerable Spring library, however for the exploit to work, it has to actually use Spring’s DataBinder to bind request data - e.g. via the ModelAttribute annotation. An application that binds data from a request to a Java object using an HTTP message converter via Spring’s RequestBody annotation is not vulnerable to Spring4Shell.

While use of auto-binding alone is not sufficient to trigger a vulnerability event, it would still be useful if Contrast could notify users when it occurs and for which application. Security teams could then treat use of auto-binding as a kind of auditable event. Contrast users may compare the applications using auto-binding with the set of applications using the affected Spring libraries. 

Contrast Protect can provide this functionality right now via Log Enhancers. Log enhancers are instrumentation instructions that allow the Contrast agent to log additional messages  in the application, without requiring any source code changes. A user can specify an API to log, and the Contrast agent adds entries to its security logger when the specified API is used. Log enhancers can be added in the Contrast UI under an organization’s Protect policy management portal as shown here:

To detect auto-binding a user should create a Log Enhancer with the following values:

After restarting the instrumented application with Protect enabled, every time an application uses auto-binding, an event like the following will be appended to the security log:

Apr 01 2022 20:08:34.059+0000 172.17.0.2 CEF:0|Contrast Security|Contrast Agent Java|3.12.0-SNAPSHOT|SECURITY|Spring Autobinding Detected|WARN|lei=510139 src=172.17.0.1 spt=8080 request=/spring-shell/user/autobind-allowed-fields requestMethod=POST app=spring-shell outcome=success

This can be combined with Contrast agent’s built in remote syslog capability to centralize reporting of applications that use autobinding.

In summary, Contrast Protect shielded customers from the Spring4Shell 0-day from the outset. It’s a key benefit of our RASP product. But as shown here, additional features including Log Enhancers can really help AppSec teams mop-up after an event like this as efficiently as possible.

For more on Log Enhancers, see our documentation.

Connect with us now to learn how Contrast can protect your Java applications against exploits like Spring4Shell.