Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  About Spring-framework 0 day RCE

    Posted 03-30-2022 04:37
    Edited by Sarah Lamont 03-30-2022 11:28
    Hi team,

    A spring-framework 0day RCE vulnerability was recently reported.
    Link:
    https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529

    Can existing rules / patterns of SecureSphere protect against this spring 0day vulnerabilities?


    #AllImperva

    ------------------------------
    Wenxuan Ma
    Engineer
    SHANGHAI
    ------------------------------


  • 2.  RE: About Spring-framework 0 day RCE
    Best Answer

    Posted 03-30-2022 09:22
    Edited by Wenxuan Ma 03-31-2022 09:26

    Hi Wenxuan,

    Thanks for the post. I spoke to Daniel Johnston from our Threat Research team, who are working on this vulnerability. Here is his update:

    As far as we are aware from the information available, there are two separate RCE vulnerabilities relating to spring framework.

    The first relates to the spring cloud module, and is now being tracked under CVE ID: CVE-2022-22963. From the information available it appears that the exploits are blocked OOTB by both cloud WAF and On-Prem WAF, however we are continuing to monitor closely.

    The second relates to spring core, and as yet is not being tracked by a CVE. There is still little information available, however from our initial analysis we believe that this will be blocked out of the box by our existing Java deserialization ruleset, however we are continuing to monitor the situation closely as it unfolds.

    I hope this helps. I will update as I have more info. 

    In the meantime, you may find this webinar interesting. It looks at how our Threat Research and Support teams work together to protect our customers and provides tips on steps you can take to keep on top of the information we push out on the subject. Daniel Johnston and Stefan Pynappels are the presenters...
    Webinar Recording: Log4j, Imperva and You

    Thanks,



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 3.  RE: About Spring-framework 0 day RCE

    Posted 03-31-2022 06:34
    Hi Sarah,

    Since your last update, do you have any updates? Our customers who use WAF often ask.

    ------------------------------
    Ahmet Ufuk Culfa
    Cyber Security Specialist
    Secure Future
    Istanbul
    ------------------------------



  • 4.  RE: About Spring-framework 0 day RCE

    Posted 03-31-2022 06:52

    Hi Ahmet,

    I have requested an update from our Threat Research team and will update ASAP.

    My understanding is that the Java zero-day called "SpringShell" is blocked by On-prem WAF, Cloud WAF and RASP by default, so no rule changes or policies are required. However, the team continue to monitor this so do keep checking in with this thread.

    I understand the team are working on a communication on this.

    Thanks,



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 5.  RE: About Spring-framework 0 day RCE

    Posted 03-31-2022 07:18
    Hi Sarah,

    Glad to know that the SpringShell is blocked by default!

    Going further, we have customers who would like to know which default security policy / signature is blocking the payload, or what alert is being raised when the payload arrives at WAF
    With this information, they can closely monitor the situation and have proof that the payload is indeed blocked by their WAF.

    Would you be able to get us some policy name / signature name / alert name / etc. for reference?

    Thank you very much.

    ------------------------------
    Louis Tsoi
    Associate Consultant
    Cyberforce Limited
    ------------------------------



  • 6.  RE: About Spring-framework 0 day RCE

    Posted 04-02-2022 03:24
    Based on the features published by imperva you can search on SIEM (e.g. splunk) using index=waf "class.module.classLoader.resources.context.parent.pipeline.first"

    ------------------------------
    Yingfan Qiu
    sale engineer
    Shenzhen,China
    ------------------------------



  • 7.  RE: About Spring-framework 0 day RCE

     
    Posted 03-31-2022 12:27
    Edited by Seb Man 03-31-2022 12:31
    I'm not so sure about this. I posted the payload as given on the Rapid7 website, and it was not blocked completly (see below for my test). Which policy should block this.

    These are the alerts that triggers:



    ------------------------------
    Seb Man
    Security Engineer
    Brussels
    ------------------------------



  • 8.  RE: About Spring-framework 0 day RCE

    Posted 03-31-2022 17:38

    Hi All,
    Thanks for your patience. Keep an eye on this blog post for official update from Imperva. This post will be updated:

    Imperva Protects from New Spring Framework Zero-Day Vulnerabilities | Imperva



    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 9.  RE: About Spring-framework 0 day RCE

    Posted 04-01-2022 07:00

    Hi All

    Manual Mitigation steps are now available here:

    Manual Mitigation for CVE-2022-22963 and CVE-2022-22965 - Spring Framework Vulnerabilities (imperva.com)

    I hope this helps @Seb Man @Louis Tsoi @Ahmet Ufuk Culfa @Wenxuan Ma

    Let us know how it goes.

    ​​​​​​​​​​​

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------