Everything you need to know about ASPM [eBook] is now available

SpringShell: What Should I Do Next?

As most everyone knows, the investigation on the recently announced SpringShell RCE (CVE-2022-22965) has begun. The point of this blog is not to discuss SpringShell’s issue, so much as dive into preemptive actions and remote code execution or RCE.

There are already plenty of blogs and articles written about the incident, but I’m sharing how to pivot if the details of identifying SpringShell change. No one wants to restart their investigation because new details are published—so here’s how to address the current issue, as well as other potential risks that come to light.

Current Information from SpringShell

Spring’s early announcement on this RCE vulnerability has been updated 11 times as of April 6th with additional information since it was originally published on March 31st.  It is obvious as more information and testing happens that specific details are changing fast. What is the best way to investigate the known but prepare for the unknown?

Application Security Posture Management (ASPM) and Your Investigation

As soon as the news broke on the SpringShell RCE the research team at Bionic started reaching out to our customers to help with the investigation based on what was known at the time.

The Criteria for SpringShell:

How ASPM Identifies the Criteria:

If an application is being managed by Bionics’ ASPM platform a simple dynamic query (dQuery) of the managed application dynamic bill of materials (dBOM) database will identify all instances where the vulnerable Spring frameworks exist with granular details

Bionic dQuery to find the vulnerable Spring RCE frameworks:

in: services and libraries: ((”*spring-webmvc*” or name: ”*spring-webflux*”) and not((version:”*5.3.18*” or version:”*5.2.20*”))) 

Spring RCE 2

Bionic dQuery to find the vulnerable Spring frameworks with Tomcat and JDK Requirements:

in:services and technology:”*tomcat*” and not(engineVersion:”*1.8*”) and libraries:((name:”*spring-webmvc*” or name:”*spring-webflux*”) and not((version:”*5.3.18*” or version:”*5.2.20*”)))

Prepare to Pivot with Potential SpringShell Changes

As was mentioned previously, Spring has updated its early announcement 11 times since the original release. Updates and Changes are happening. A direct quote from the announcement was However, the nature of the vulnerability is more general, and there may be other ways to exploit it.Based on this quote let’s put a hypothetical use case together

Hypothetical Use Case

To avoid creating any false news, I am going to reference a fake framework named “BAD-DOG”. The last thing I want to say is that a real framework is now part of the Spring RCE issue which would cause major confusion. The framework BAD-DOG has versions 1.0 and 2.0. Version 1.0 is the only version affected. How do investigation teams address this new information?  The most logical way is to start searching for all instances of BAD-DOG Version 1.0. A ton more time and resources are about to be used.

Bionic ASPM is Built to Adapt

Since the application is already being managed by Bionic’s ASPM platform, a simple adjustment to the above allows you to immediately identify how and where BAD-DOG version 1.0 exists so you do not have to restart an investigation from the beginning

Bionic dQuery to find SpringShell with BAD-DOG Version 1.0

in:services and technology:”*tomcat*” and not(engineVersion:”*1.8*”) and libraries:((name:”*spring-webmvc*” or name:”*spring-webflux*” or name:”*BAD-DOG*”) and not((version:”*5.3.18*” or version:”*5.2.20*” or version:”*2.0*”)))

See how simple it is to pivot with ASPM and review your architecture?

unencrypted PII in application
Bionic’s map of your application architecture in production dramatically reduces potential risks.

Final Thoughts and Next Steps

When new vulnerabilities are announced it takes a lot of time to first identify if you are affected. If so, how do you prioritize remediation of the issue? Instead of starting your investigation over each time new information comes out, build out your ASPM framework.

ASPM not only helps you find and prioritize the issue but also prevents the need to restart an investigation when additional information is published. If you’re unsure how to begin setting up a solid ASPM framework, reach out, we’ll help you get started. 


Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

See a Live Demo of the Bionic Platform