Friends of OpenJDK Today

Spring Remote Code Execution Vulnerability

March 31, 2022

Author(s)

  • Avatar photo
    Shai Almog

    Author, DevRel, Blogger, Open Source Hacker, Java Rockstar, Conference Speaker, Instructor and Entrepreneur.

I'd like to start by saying that I'm not a security expert. I also won't link to the exploit. This is a very fresh take on a new vulnerability but there's already confirmation from Sonatype. The current exploit seems to be limited to Spring on top of Tomcat but it probably can be adapted since the underlying vulnerability seems general enough.

The vulnerability only impacts Java 9 or newer so if you have an older version you should be safe from this specific exploit.

The core problem is a regression related to an old RCE which was fixed here.

The problem is that the Java 9 module system increased the surface area. So the original fix for the RCE is no longer sufficient.

Workaround

This is actually pretty simple... Cyber Kendra included a solution and it was also mentioned by Praetorian. It seems like a prudent thing to add and I suggest you incorporate it as soon as possible!

Detection

If you have Lightrun in your servers you can instantly detect if this is exploited by placing a snapshot in the BeanWrapperImpl class as I explain in this twitter video.

Topics:

Related Articles

View All

Author(s)

  • Avatar photo
    Shai Almog

    Author, DevRel, Blogger, Open Source Hacker, Java Rockstar, Conference Speaker, Instructor and Entrepreneur.

Comments (0)

Your email address will not be published. Required fields are marked *

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Save my name, email, and website in this browser for the next time I comment.

Subscribe to foojay updates:

https://foojay.io/feed/
Copied to the clipboard