Spring4shell RCE attempts - CVE-2022-22963

Tactic:

TA0003-persistance

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect attempts to exploit the spring4shell vulnerability (CVE-2022-22963).

Strategy

Monitor payload matching the known patterns for the Spring core RCE known as Spring4shell (event rule: #dog-000-004) triggering on Java applications @language:(jvm OR java) and generate an Application Security signal with Medium severity.
A backup condition that looks for existing rules (@appsec.security_activity:attack_attempt.java_code_injection) that trigger on the key that is used in the exploit (@appsec.triggers.rule_matches.parameters.key_path:class.module.classLoader.*).

Response

Consider blocking the attacking IP(s) temporarily to prevent them to reach deeper parts of your production systems.

Remediation

If you are using Spring framework (v5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions) on JDK9+ and packaged it as WAR on Apache Tomcat, there is a high chance that you are vulnerable and need to do one of the following.

  • Upgrade to Spring Framework v5.3.18 and v5.2.20
  • If you are unable to upgrade, Datadog recommends applying Spring’s workaround to mitigate the risk of an exploit