Vulnerability: Spring (Possible RCE in Spring Core)

[sullivanmatt]

@mattlorimor for review

[Thelvaen]

it might be a bit too late for the mails already out, but the link to the github discussion has a log4j filter in the title.

[Nicklas2751]

mp911de demented it on the JVM Germany slack:

[malexmave]

There is an alleged PoC which was added to GitHub and later removed again (diff of the removal: https://github.com/helloexp/0day/commit/05dbe251efcf51e9e3e0a9c841e2c18dbd619403). I do not have the Java expertise to reproduce it, and have not seen anyone except the author claim that it actually works, but afaik it is the only known claimed proof of concept of this alleged vulnerability. Leaving this here in case someone with more expertise wants to check it out and comment on it. Edit: Hmm, now the entire repository with the alleged PoC is gone. O.o

[Thelvaen]

The repo has been removed.

[malexmave]

You can find the exploit here: https://share.vx-underground.org/ (Password for the 7z: "infected" - the zip contains the information from the vanished repo). The demo repo it targets is this one: https://github.com/fengguangbin/spring-rce-war. Someone claims on twitter that it works: https://twitter.com/steventseeley/status/1509189403817693188

[sullivanmatt]

I am checking against another spring boot application I have the code for before sounding the alarm officially.

[malexmave]

Since the new place the PoC is hosted does not have the PDFs that went with the exploit, I reuploaded them here so that you can see the writeup of the author - original in chinese and translated to english using Google Translate. 漏洞分析-translated-en.pdf 漏洞分析.pdf

[mattlorimor]

The current state seems to be that we have this PoC that we're unable to utilize to exploit Spring applications we have access to, but we are not willing to declare that there isn't an issue present because:

• our Java-fu is probably just bad
  • this seems to be relatively complicated to craft, but easy to pull off once you have it?
• the apps that we've tried it against may have failed to reproduce for any number of reasons
• admittedly, there are language barrier issues at play
• at least one person claims it works

That sound correct, @sullivanmatt?

[malexmave]

Just to add: Praetorian Labs also claims to have reproduced and weaponized the exploit and to be working on a writeup.

[mattlorimor]

Just to add: Praetorian Labs also claims to have reproduced and weaponized the exploit and to be working on a writeup.

[sullivanmatt]

Closing discussion here now that we've got confirmation this issue is real. Continue at https://github.com/BugAlertDotOrg/bugalert/pull/46