Detection: Spring4Shell Vulnerability
Overview
Detect when a web server received requests containing Spring4Shell exploitation patterns (CVE-2022-22965). This detection focuses on identifying attempts to exploit a critical remote code execution vulnerability in the Spring Framework, commonly known as Spring4Shell.
The Spring4Shell vulnerability affects Spring Core and allows attackers to execute arbitrary code on vulnerable systems. The vulnerability exists in the way Spring Framework handles class loading and property binding. When an attacker creates a specially crafted request to a Spring application using specific class-loading expressions, they can bypass protections and execute arbitrary code on the server.
This detection identifies multiple Spring4Shell attack patterns by scanning for malicious class-loading payloads in HTTP request URIs and User-Agent headers. These patterns include direct references to class loaders and application contexts that enable code execution, such as class.module.classLoader.resources.context.parent.pipeline and springframework.context.support.FileSystemXmlApplicationContext. The detection also accounts for URL-encoded variants of these payloads, which are common evasion techniques.
When this detection triggers, security teams should immediately verify which systems were targeted and whether they are running vulnerable versions of Spring Framework, isolate affected systems if possible, apply available patches to update Spring Framework to secure versions (Spring Framework 5.3.18+ or 5.2.20+), implement web application firewall rules to block Spring4Shell exploitation patterns, and enhance logging to identify potential compromises. This detection may occasionally trigger false positives for systems using legitimate Spring Framework functionality, particularly in development environments where debugging information might contain similar patterns.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.spring4shell_vulnerabilitySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.spring4shell_vulnerability --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp, request_method as operation, request_uri as resource, status, http_user_agent as actor, tp_source_ip as source_ip, tp_id as source_id, -- Create new aliases to preserve original row data status as status_src, timestamp as timestamp_src, * exclude (status, timestamp)from apache_access_logwhere request_uri is not null and ( -- Class pattern indicators request_uri ilike '%class.module.classLoader%' or request_uri ilike '%class.classLoader%' or request_uri ilike '%ClassLoader%' -- Property access patterns or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%' or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.suffix=%' or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.directory=%' or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.prefix=%' or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=%' -- URL encoded variants or request_uri ilike '%class%2Emodule%2EclassLoader%' or request_uri ilike '%tomcatwar.jsp%' -- Common payloads or request_uri ilike '%Pattern=%25%7Bc2%7Di%' or request_uri ilike '%class.module.classLoader.DefaultAssertionStatus%' )order by tp_timestamp desc;