2 minutes 380 Words
2026-01-24 22:00 (Last updated: 2026-02-10 09:01)
CVE-2022-22965: Spring4Shell Analysis
Executive Summary
CVE-2022-22965, dubbed Spring4Shell, is a critical RCE vulnerability in Spring Framework that affects applications running on Apache Tomcat. The vulnerability was disclosed on March 30, 2022, and received a CVSS score of 9.8 (Critical).
Unlike Log4Shell, this vulnerability requires specific conditions to exploit but is equally dangerous when applicable.
Technical Analysis
Vulnerability Mechanism
The vulnerability exists in Spring Framework’s data binding functionality. When using @RequestMapping handlers with POJO parameters, Spring binds request parameters to object properties. Under certain conditions, attackers can craft requests that:
- Overwrite server-side configuration files (particularly
tomcatweb.xml) - Deploy malicious JSP shells to the web root
- Achieve remote code execution
Exploitation Prerequisites
For exploitation, the following conditions must be met: - Spring Framework 5.3.0-5.3.17 or 5.2.0-5.2.19 - Running on Apache Tomcat (JDK 9+) - Using Spring’s data binding with POJO parameters - WAR deployment to Tomcat’s webapps directory
Attack Vector
POST /path/to endpoint HTTP/1.1
Content-Type: application/x-www-form-urlencoded
class.module.classLoader.resources.context.parent.pipeline.first.pattern=
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
Following this, a second request writes the JSP shell.
Detection Rules
Sigma Rule
title: Spring4Shell Class Module Exploitation
id: 7f3a5b2c-9e4f-4c1d-8f7a-3c2a1b4d5e6f
status: stable
description: Detects Spring4Shell exploitation via class.module.classLoader parameters
author: f3dscr3w
date: 2022-03-31
tags:
- attack.initial_access
- attack.t1190
logsource:
product: webserver
category: access_log
detection:
selection:
uri|contains: ".jsp"
query|contains:
- "class.module.classLoader"
- "class.module.resources.context.parent.pipeline"
condition: selection
level: critical
YARA Rule
rule spring4shell_exploitation {
meta:
description = "Detects Spring4Shell exploitation attempts"
author = "f3dscr3w"
date = "2022-03-31"
strings:
$class_module = "class.module.classLoader" nocase
$pipeline = "parent.pipeline.first" nocase
$pattern_suffix = ".pattern=" nocase
condition:
$class_module and $pipeline
}
IoCs
Request Patterns
| Indicator | Type |
|---|---|
class.module.classLoader.resources.context.parent.pipeline.first.pattern | Parameter |
class.module.classLoader.resources.context.parent.pipeline.first.suffix | Parameter |
class.module.classLoader.resources.context.parent.pipeline.first.directory | Parameter |
Post-Exploitation
- JSP files in unexpected locations
- New files in
webapps/ROOT/or other webapp directories - Unusual process execution from Tomcat user
Mitigations
Patching
Upgrade to Spring Framework: - 5.3.18+ for 5.3.x branch - 5.2.20+ for 5.2.x branch - 5.1.20+ for 5.1.x (EOL but patches available)
Workarounds (if patching not immediately possible)
- Use older Tomcat versions (not recommended as security by obscurity)
Disable HTTP request parameter binding via
@InitBinder:@InitBinder protected void initBinder(WebDataBinder binder) { binder.setDisallowedFields("class.*", "*.class.*", "*.Class.*"); }RASP (Runtime Application Self-Protection) solutions
Timeline
| Date | Event |
|---|---|
| 2022-03-28 | Vulnerability reported to VMware (Spring owner) |
| 2022-03-30 | Public disclosure and PoC exploits |
| 2022-03-31 | Emergency patches released |
| 2022-04-01 | WAF rules and additional mitigations published |
| 2022-04-07 | Spring Framework 5.3.18⁄5.2.20 released |