Detect the Spring4Shell vulnerability
This guide walks through detecting and reporting on CVE-2022-22965 (Spring4Shell).
You can scan your environment for the Spring4Shell vulnerability with a customized scan template and quickly determine and report on impact using the Specific Vulnerability dashboard template.
The April 1, 2022 content release for InsightVM and Nexpose includes new authenticated and remote checks for the Spring4Shell vulnerability. No product update is required, simply a content update. This check is designed to be intentionally conservative and may flag false positives.
Running a scan for CVE-2022-22965 will allow teams to inventory potentially affected systems to then further triage and prioritize remediation efforts. The advice from Spring.io is that while systems may not be vulnerable due to other necessary conditions, customers should schedule upgrades to current versions (Spring Framework 5.3.18 and 5.2.20) to err on the side of caution.
Step 1: Configure a scan template
You can copy an existing scan template or create a new custom scan template that only checks for the Spring4Shell vulnerability.
Make a copy of the `Full audit without Web Spider` scan template.
- In your security console, go to the Administration tab.
- Under Scans, click Manage scan templates.
- In the Full audit without Web Spider scan template row, click the Copy scan template icon.
- On the General tab, enter an easily identifiable name, such as Spring4Shell.
(Optional) Enable scanning on Windows devices using the authenticated check.
For authenticated scanning in Windows environments, you need to enable Windows file system search in the scan template to allow scan engines to search all local file systems for specific files.
- On the General tab, select the Enable Windows File System Search checkbox.
- Review the warning text to determine whether you want to enable this option.
- To enable this feature, click Yes. To cancel enabling, click No.
Searching file systems increases scan time and resource utilization
Searching entire file systems across all of your Windows assets is an intensive process that increases scan times and resource utilization.
On the Vulnerability Checks tab, add the CVE-2022-22965 checks.
- Expand the By Individual Check dropdown and click Add Checks.
- Select CVE-2022-22965.
- Click Save.
Click Save at the top right corner of the Scan Template Configuration.
Step 2: Scan your network
The following steps use
CVE-2022-22965 as the example. The same steps can be used for additional checks related to Spring4Shell such as CVE-2021-45046 and CVE-2021-45105.
Prepare for the Authenticated check
Prepare for scanning with the authenticated check (
vulnerability ID: spring-cve-2022-22965):
- Ensure you have provided valid, root-level SSH credentials for systems in your environment.
- The check will search the filesystem for files with a .war extension, and run the
unzip -lcommand to enumerate filenames within the war file. If an affected version of the Spring Beans jar file is found (based on the filename), the check will report vulnerable.
- Review the vulnerability proof to determine the path of the WAR file(s).
- Scanning Windows systems using the authenticated check requires that WMI be enabled, and Enable Windows File System Search must be enabled in the scan template.
Prepare for the Unauthenticated check
Prepare for scanning with the unauthenticated check: (
vulnerability ID: spring-cve-2022-22965-remote-http):
- The remote check triggers against any discovered HTTP(S) services, and attempts to send a payload to common Spring-based web application paths in order to trigger an HTTP 500 response, which indicates a higher probability that the system is exploitable.
Scan your network with the new scan template
- Run a scan with the scan template you updated or created.
- When the scan completes, in the Security Console, search for
- To continually monitor any assets that are vulnerable to Spring4Shell, create a Dynamic Asset Group based on the same CVE ID you searched for. Your filtered asset search looks for exact matches to the CVE ID itself (
CVE ID = is = CVE-2022-22965).
Step 3: Report on the impact of Spring4Shell
This report shows the presence and impact of a specific vulnerability or vulnerabilities in your environment.
- In Query Builder, create and save a query for Spring4Shell using the following vulnerability CVE ID criteria:
vulnerability.cveIds IN ['cve-2022-22965']
- Use an easily identifiable query name, such as Spring4Shell.
- On the Dashboard tab, click the dashboard dropdown menu and select Specific Vulnerability Dashboard.
- On your new dashboard, click Load Dashboard Query.
- Select the Spring4Shell query you just created.
- Review the results to determine impact.
Other ways to detect Spring4Shell
You can use the Registry Sync App to assess new Spring Bean packages versions 5.0.0 and later that are embedded in WAR files.
- Update the Container Registry Sync App.
- Access the docker image at Dockerhub.
- With your Rapid7 API key handy, follow the deployment and usage instructions on the docker image page.
- Assess new packages.
- In InsightVM, on the Containers page, go to the Repositories tab.
- Select the repository that contains any unassessed images that may have Java packages.
- On the repository details page, click Synchronize Repository.
Insight Agent assessments
We are rolling out Insight Agent version 188.8.131.52, which includes collection support for WAR files on macOS and Linux so that vulnerability assessments of the authenticated check for CVE-2022-22965 will work for updated agent-enabled systems. It is expected to be generally available as of April 11, 2022. A subsequent release of the Insight Agent will be required to support the check on Windows systems.
If you rely on the Insight Agent for vulnerability management, consider setting the Throttle level to High (which is the default) to ensure updates are applied as quickly as possible. For more information, see Agent Management Settings in the Insight Agent documentation.
To reduce the impact on agent-enabled systems, the timeout for this search is 10 minutes. On very busy machines with large numbers of files, the check will not result in found vulnerabilities.
This search relies on the WMI service. If this service is disabled on machines, the search will not run.