Operational information regarding the Spring4Shell vulnerability (CVE-2022-22965) in the Spring Core Framework.
- README.md: contains general information and detection and mitigation measures
- software/README.md: contains a list of known vulnerable and not vulnerable software.
NCSC-NL has published a HIGH/HIGH advisory for the Spring4shell vulnerability. Normally we would update a HIGH/HIGH advisory for vulnerable software packages, however due to the expected number of updates we have created a list of known vulnerable software in the software directory.
Patches are available through Spring.io:
- Spring Framework versions 5.3.18 and 5.2.20
- Spring Boot versions 2.5.12 and 2.6.6
- Tomcat versions 10.0.20, 9.0.62, and 8.5.78
This table contains an overview of local and remote scanning tools regarding the Spring4shell vulnerability and helps to find vulnerable software.
NCSC-NL has not verified the scanning tools listed below and therefore cannot guarantee the validity of said tools. However NCSC-NL strives to provide scanning tools from reliable sources.
| Note | Links |
|---|---|
| jfrog Spring tools | https://github.com/jfrog/jfrog-spring-tools |
| Hilko Bengen - Local Spring vulnerability scanner | https://github.com/hillu/local-spring-vuln-scanner |
| Remco Verhoef - Spring4shell scanner | https://github.com/dtact/spring4shell-scanner |
| Tenable Nessus Spring4shell vulnerability scanner | https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability |
| Qualys Scanner/Cloud Agent | https://blog.qualys.com/vulnerabilities-threat-research/2022/03/31/spring-framework-zero-day-remote-code-execution-spring4shell-vulnerability |
| Rapid7 Nexpose/InsightVM | https://docs.rapid7.com/insightvm/spring4shell/ |
| Acunetix | https://www.acunetix.com/blog/web-security-zone/critical-alert-spring4shell-rce-cve-2022-22965-in-spring/ |
| Nuclei Spring4shell template | https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-22965.yaml |
| Whitesource/spring4shell-detect | https://github.com/whitesource/spring4shell-detect |
The following IPs were observed as scanning IPs for this vulnerability: Scanning IPs
Next to scanning tools, the following detection rulesets and queries can help to find exploitation/webshells in your network.
| Note | Links |
|---|---|
| Yara rules - Neo23x0 | https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar |
| Splunk queries - West-wind | https://github.com/west-wind/Spring4Shell-Detection |
If you have any additional information to share relevant to the Spring4shell vulnerability, please feel free to open a Pull request. New to this? Read how to contribute in GitHub's documentation.