Issued: 7th April 2022
Last week, we informed customers of a critical CVE published on 2022-03-30 involving Spring Framework, specifically spring-mvc and spring-webflux. Spring released an update advising companies impacted by Spring4Shell to apply the latest patch version 5.3.18+ or 5.2.20+ in order to mitigate the vulnerability. Please ensure you update to the latest patch version 5.3.18+.
For more information about Spring4Shell published by VMWare, reference CVE-2022-22965.
Updates from Contrast
Vulnerable applications using Contrast Protect are protected against known exploits including Spring4Shell.
Contrast hosted (SaaS), Contrast on-premises (EOP) and Contrast HUB are not susceptible to this exploit. However, as a precaution we will be updating our libraries to the latest versions and will let customers know once released. Upgrading is not required.
New Rule Added to Contrast Protect. This feature adds a new rule to Contrast Protect, Class Loader Manipulation, that provides additional hardening against exploits for vulnerabilities like Spring4Shell. The new rule further guards against attacker attempts to gain access to and manipulate a class loader. Manipulating a class loader is a common way that attackers exploit the reflection code in expression language injection and mass assignment vulnerabilities to escalate to remote code exploitation.
In order to take advantage of the new rule, Protect customers will need to upgrade to Java agent v3.12.0.25978+. The rule is configured to run in Monitor mode by default. This is to allow customers to test the rule in their system, prior to moving to Block mode. Details on how to configure the Contrast Protect policy can be found on our Set Protect rules documentation page.
Contrast Reference Guides
We have published a communication to our Support Portal letting customers know we are researching implications and we will let them know exactly how they can fix this issue in their systems.
For more information on what we know now, reference our blog post by David Lindner, Contrast CISO, and Arshan Dabirsiaghi, Contrast Chief Scientist.
Contrast will continue to monitor the situation with Spring4Shell. The security of our customers is of utmost importance to us. If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at support@contrastsecurity.com.