Following the announcement of Spring4Shell, the latest zero-day security issue that takes advantage of a vulnerability in a widely adopted application framework for Java – the Spring Framework, on March 30th Contrast has added additional hardening to protect customers. Contrast Protect now includes a new rule designed to further safeguard against the exploit used in Spring4Shell and similar past and future exploits. The new Protect rule, named Class Loader Manipulation, denies attackers access to application class loaders thus denying them an important vector for escalating attacks to remote code exploitation (RCE). The rule is available in Contrast Java agents version 220.127.116.11978 and later.
To help answer any questions you may have about the new Class Loader Manipulation rule, Contrast has put together a comprehensive Q&A below:
- What Is Class Loader Manipulation?
- How Does This Rule Better Protect Contrast Users?
- How Does Protect Block Class Loader Manipulation?
- Why Beta?
- What are the Risks?
- When Is this available to Enterprise On-Premise Users?
What Is Class Loader Manipulation?
As seen in CVE-2022-22965 (Spring4Shell) and CVE-2014-0114 (Apache Struts ClassLoader manipulation), attackers manipulate an application’s class loader as a means to escalate their attacks to RCE. In the Spring4Shell exploit that started circulating the web on day-zero, attackers exploited the vulnerability to gain access to Tomcat’s class loader. Once the attacker can manipulate the class loader, they can change Tomcat’s behavior to create a web shell through which the attacker can execute commands remotely. In similar past exploits, attackers manipulate an application’s class loader such that the class loader loads malicious code from a URL the attacker controls. In either case, the attacker’s manipulation of the application’s class loader is a key step to escalating their attacks to RCE.
How Does This Rule Better Protect Contrast Users?
Recall the following excerpt from our blog post New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared:
For Contrast customers, Protect can detect and block the current public exploit circulating the web. However, exploit writers will find ways around it quickly. The exploit in circulation installs a backdoor that is simple to detect and block. We are working on more robust controls at the moment and will release them as soon as possible.
On day-zero of the Spring4Shell exploit, Contrast Protect’s command injection rule blocked commands from being passed through the HTTP request to the system to prevent RCE; however, Protect did not prevent attackers from installing the JSP web shell in the first place.
Of course, we aim to block these attacks even sooner such that the attacker is denied the opportunity to install a web shell or take other malicious actions. The new Class Loader Manipulation rule is the “more robust controls” that we have been working on. This rule prevents attackers from manipulating the application’s class loader in any way, much less installing a web shell or other malicious code. This rule completely guards users from any variation of Spring4Shell and from any future copycat zero-days that target other frameworks like Spring with the same vulnerability.
How Does Protect Block Class Loader Manipulation?
Class loader manipulation vulnerabilities are more likely to exist in Java web application frameworks that use mass assignment, object deserialization libraries, and expression language injection libraries. All of these technologies share something in common: they map untrusted data from HTTP requests to the application’s Java types using Java’s reflection API.
The new Protect Class Loader Manipulation rule does not analyze user input before blocking attacks; rather, it uses Protect’s sandboxing technique to deny any attempt to use reflection to invoke common ClassLoader accessor methods that attackers exploit.
This sandboxing technique is uniquely available to runtime application self protection (RASP) agents like Contrast Protect. Endpoint protection tools cannot replicate this.
The Class Loader Manipulation rule provides exhaustive protection against Spring4Shell and other future exploits that use the same technique to get a reference to the application’s class loader. However, we have more ambitious goals for this rule.
We want to guard against more techniques that attackers may use to get access to an application class loader. With these added protections, we can be most confident that this rule will block the next zero-day that relies on a class loader manipulation exploit. After adding these protections, we will remove the Beta label from this rule.
What are the Risks?
Contrast Protect rules aim to strike the right balance between accuracy, performance, and protection. Like any Protect rule, in blocking mode, false positives can disrupt an application’s normal functions.
Before releasing the Class Loader Manipulation rule, Contrast tested for false positives on hundreds of test applications, and we found none. We believe the risk for false positives is low. Still, users can make sure the rule won’t disrupt their applications by first running the rule in monitoring mode. In monitoring mode, Contrast agents report attacks but do not block them. Any false positives from this rule will be evident from using applications with a normal workload while monitoring Contrast for false attacks. Monitor mode gives users a risk-free way to determine that this rule will not disrupt normal application functionality before configuring it to block attacks.
When Is this available to Enterprise On-Premise Users?
This rule will be included in the next regularly scheduled release of Contrast’s Enterprise On-Premise (EOP) product; however, EOP users are able to use this rule in a limited fashion to block Spring4Shell exploits today.
EOP users who want the added protection the class loader manipulation rule provides will need to update their Java agent version 18.104.22.168978 or later and contact email@example.com for help configuring the agent to block class loader manipulation attacks.. All Contrast Java agent versions are available in Maven Central.