Hi Sarah,
Glad to know that the SpringShell is blocked by default!
Going further, we have customers who would like to know which default security policy / signature is blocking the payload, or what alert is being raised when the payload arrives at WAF
With this information, they can closely monitor the situation and have proof that the payload is indeed blocked by their WAF.
Would you be able to get us some policy name / signature name / alert name / etc. for reference?
Thank you very much.
------------------------------
Louis Tsoi
Associate Consultant
Cyberforce Limited
------------------------------
Original Message:
Sent: 03-31-2022 06:52
From: Sarah Lamont(csp)
Subject: About Spring-framework 0 day RCE
Hi Ahmet,
I have requested an update from our Threat Research team and will update ASAP.
My understanding is that the Java zero-day called "SpringShell" is blocked by On-prem WAF, Cloud WAF and RASP by default, so no rule changes or policies are required. However, the team continue to monitor this so do keep checking in with this thread.
I understand the team are working on a communication on this.
Thanks,
------------------------------
Sarah Lamont(csp)
Digital Community Manager
Original Message:
Sent: 03-31-2022 06:22
From: Ahmet Ufuk Culfa
Subject: About Spring-framework 0 day RCE
Hi Sarah,
Since your last update, do you have any updates? Our customers who use WAF often ask.
------------------------------
Ahmet Ufuk Culfa
Cyber Security Specialist
Secure Future
Istanbul
Original Message:
Sent: 03-30-2022 09:22
From: Sarah Lamont(csp)
Subject: About Spring-framework 0 day RCE
Hi Wenxuan,
Thanks for the post. I spoke to Daniel Johnston from our Threat Research team, who are working on this vulnerability. Here is his update:
As far as we are aware from the information available, there are two separate RCE vulnerabilities relating to spring framework.
The first relates to the spring cloud module, and is now being tracked under CVE ID: CVE-2022-22963. From the information available it appears that the exploits are blocked OOTB by both cloud WAF and On-Prem WAF, however we are continuing to monitor closely.
The second relates to spring core, and as yet is not being tracked by a CVE. There is still little information available, however from our initial analysis we believe that this will be blocked out of the box by our existing Java deserialization ruleset, however we are continuing to monitor the situation closely as it unfolds.
I hope this helps. I will update as I have more info.
In the meantime, you may find this webinar interesting. It looks at how our Threat Research and Support teams work together to protect our customers and provides tips on steps you can take to keep on top of the information we push out on the subject. Daniel Johnston and Stefan Pynappels are the presenters...
Webinar Recording: Log4j, Imperva and You
Thanks,
------------------------------
Sarah Lamont(csp)
Digital Community Manager
Original Message:
Sent: 03-30-2022 04:27
From: Wenxuan Ma
Subject: About Spring-framework 0 day RCE
Hi team,
A spring-framework 0day RCE vulnerability was recently reported.
Link:
https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529
Can existing rules / patterns of SecureSphere protect against this spring 0day vulnerabilities?
#AllImperva
------------------------------
Wenxuan Ma
Engineer
SHANGHAI
------------------------------