Researchers recently announced a gaping security hole in Spring, a widely used framework for developing Java applications. Designated CVE 2022 2965 and nicknamed SpringShell, the substantial chink in the collective Java development community’s armor left many scrambling for a patch before hackers began exploiting the vulnerabilities.
Moreover, the announcement underscored the futility of security strategies attempting to thwart attackers by denying all potentially dangerous functionalities. Instead, the incident pointed to the solution to the growing number of cyberattacks that exploit inherent security weaknesses: developing processes for building security into applications at the earliest stages of software development.
Static application security testing (SAST) is a process that provides teams with a comprehensive toolset for identifying code vulnerabilities in today’s complex, third-party software-reliant applications and libraries before deployment and during development. Kiuwan is a high-performance SAST platform that gives developers confidence that their code will be free of preventable security vulnerabilities from the outset.
SpringShell caught many security teams off guard, especially those relying on open-source libraries and the popular Java Spring development platform. Exploring how a vulnerability like this can appear overnight helps us understand that steering away from the putting-out-fires paradigm toward baked-in code security is the most viable way forward to stem the growing epidemic of cyber attacks.
What set the SpringShell vulnerability apart was its potential impact on a large segment of enterprise-level Java applications. To exploit the weakness, attackers must find a target running a combination of Spring, Java 9 or greater, and Tomcat.
Finding that configuration isn’t too difficult, given that Spring is the number one Java framework and Java 9 has had time to broaden its reach in the five years since its release. In addition, Tomcat, the popular web server for Java applications embedded in Spring Boot and Spring Beans, increases the number of potential targets available to cybercriminals.
Spring relies on a deny list to limit access to the ClassLoader. However, beginning with Java 9, developers added modules that offered alternative ways to access ClassLoader, allowing users to write data to internal objects.
Investigators conducting PoC testing discovered that this Spring vulnerability allows remote code execution (RCE) by configuring setters and attributes via ClassLoader access. The method involves finding a Spring POST endpoint and reconfiguring Tomcat to write a JSP or other executable file containing malicious code to the Tomcat server.
The fix for SpringShell is straightforward: organizations should have immediately implemented the action upon the release of the vulnerability: upgrade to Spring framework versions 5.3.18 and 5.2.20.
It is safe to assume that SpringShell affected the vast majority of Spring Web projects running Java 9 and greater, as did many other users of the popular Spring framework. Investigators caution that Tomcat is merely a tool hackers can use to initiate exploitation. Malevolent actors could implement other means beyond Tomcat to infiltrate security holes in Spring.
As is often the case, the known vulnerability only opens the door to many possible variations. Resourceful hackers can exploit a known security hole to try a litany of attacks exploiting a common weakness.
Once researchers or attackers open Pandora’s box by revealing a security weakness, it is too late to mitigate these risks. The way to minimize the exponentially increasing attacks that are likely to occur is to adopt a different security approach: DevSecOps. Development Security Operations promotes code security to prominence in the software supply chain.
This shift in mindset is necessary to combat the growing cybersecurity problem. The only workable system starts at the application’s inception and continues throughout the process until the end of the software’s Lifetime Development Cycle.
The ability to write an executable file with user-provided data is hazardous for organizations charged with safeguarding financial transactions and customer data. It is impossible to fathom all the exploitations this access enables cybercriminals, and merely applying the patch will, in all likelihood, be inadequate protection.
Data crime is the interception and theft of private or confidential data, including the theft of identities. With many financial, banking, and other privacy-centric institutions relying on the Spring framework for their Java application development, the opportunity for criminals is abundant. Simply put, when thieves can access restricted areas and write cloaked executable files, it inevitably leads to sensitive data breaches.
A lesser-known SpringShell exploit involves recruiting bot armies. Hackers can access servers and enslave them as participants in their ill-intended activities, such as crypto mining and DDoS attack hordes.
Security vulnerabilities are a continually looming nightmare for many institutions. In addition, the drive for faster production, continuous improvement, and lifecycle puts pressure on code development teams to rely heavily on open-source and third-party software libraries and functions.
Manually checking up to millions of lines of code for adverse software interactions and known security issues is logistically impossible. However, treating code security as an afterthought to the software supply chain is a mistake many organizations are no longer willing to make.
SAST helps development teams identify security issues before they become embedded in the code.
Kiuwan SAST provides a rigorous approach to detecting software vulnerabilities across multiple languages. As a result, DevOps teams using Kiuwan can seamlessly manage security as they write code. This ability to continually scan and revise code reduces the weak spots for cybercriminals to target, resulting in more robust security at every application level.
Kiuwan is a global company that provides a 360° application security platform to help guide code development teams in producing the highest-quality, most secure applications possible. In today’s threat landscape, it becomes increasingly difficult to argue that working within the old system of patching and firefighting is tenable.
Schedule an expert demo today with Kiuwan to discover how SAST can benefit the application development process, mitigate issues, and ultimately shorten development time, resulting in a more secure application.
