spring4shell-scanner
This scanner will recursively scan paths including archives for spring libraries and classes that are vulnerable to CVE-2022-22965 and CVE-2022-22963.
Currently the allow list defines non exploitable versions, in this case spring-beans 5.3.18 and 5.2.20 and spring cloud function context 3.2.3
Features
- scans recursively through all archives in archives in archives in archives etc
- scan for known spring libraries (sha256 hash)
- scan for CachedIntrospectionResults.class files
- fast
- show related CVE's found by version
- detects class files with different extensions (eg .ezclass)
- scans through all layers of local- and remote docker images
- binary versions available for Windows, Linux and MacOS
References
| CVE | References |
|---|---|
| CVE-2022-22965 | https://tanzu.vmware.com/security/cve-2022-22965 |
| CVE-2022-22963 | https://tanzu.vmware.com/security/cve-2022-22963 |
Links
- https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
- https://bugalert.org/content/notices/2022-03-29-spring.html
- https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc
- https://www.springcloud.io/post/2022-03/spring-0day-vulnerability
Scanning
Usage
Windows
$ spring4shell-scanner.exe {target-path}
Linux / OSX / FreeBSD
$ spring4shell-scanner {target-path}
Docker containers
Using the tool you can now also scan containers:
$ ./spring4shell-scanner scan-image logstash:7.16.1
or local images:
$ ./spring4shell-scanner scan-image --local {sha256|pattern}
$ ./spring4shell-scanner scan-image --local log4shell:latest
$ ./spring4shell-scanner scan-image --local 4949add9e671
# scan all local images
$ ./spring4shell-scanner scan-image --local
Usage
Windows
$ spring4shell-scanner.exe patch {target-path}
Linux / OSX / FreeBSD
spring4shell-scanner patch {target-path}
Build from source
Requirements:
For development
$ git clone "https://github.com/dtact/spring4shell-scanner.git"
$ go build -o ./.builds/spring4shell-scanner ./main.go
Copyright and license
Code and documentation copyright 2022 Remco Verhoef (DTACT).
Code released under the MIT license.
Included matching for CVE-2022-22963
DISCLAIMER: I have not done enough research to claim that this will include all vulnerable versions of Spring Cloud Functions.
Working assumptions have been:
The file
RoutingFunction.classis the culprit that was patched recently [1]. It shows that a change + test was added to mitigate access to the Java runtime via HTTP headersI pulled all versions from Maven central and scanned for
.jarfiles that have the above file packaged.[1] https://github.com/spring-cloud/spring-cloud-function/commit/03db9baee65ba0ddcd2c2cbc1f4ebc3646a6872e
Scan works, but output unworkable
The scanner seems to work just fine. However, the output this tool produces isn't really suitable for further processing:
--quietparameter. It outputs thousands of lines, one for each file scanned. But I think most people are only interested in the actual vulnerable files. Of course you can pipe the output to a filter (i.e. filter on "[!]"), but then there's still the problem mentioned at point 4 below.--jsonparameter doesn't seem to work. I still get the regular output.--disable-colourparameter. So redirecting the output to a text file results in a non-plain text file.I wanted to love this scanner, but in its current state i cannot recommend it.
Note: I tested the Windows version
Adding Logging to File of the findings
Current scanner send its output to stdout (Status + findings)
a scan job can output hundreds and hundreds os status line ("Checked 33 files in 00h:00m:01s, average rate is: 1401 files/min"), as well as a lot of findings
Findings will get lost when scanning big servers outputting more than the console buffer
Wish: