0-day Vulnerability Scan: SpringShell or Spring4Shell

Hello Folks. This is an urgent requirement to use BigFix to query the below details, SO please help me how to write the query for that.

CyberSecurity has just alerted me to a 0-day vulnerability which is called SpringShell or Spring4Shell. FCyberSecurity has only recently begun to put together the components by which the vulnerability will exploit a given system or systems. However, we would like to fully understand the potential UNIX/Linux servers that could be exposed by this latest vulnerability (i.e., attack surface). As a result, could you please write a script OR utilize BigFix to query the UNIX and Linux servers for the below-installed components?

ā€¢ Java 9 or greater
ā€¢ spring-beans*.jar

Below are a few links that have been shared with me related to this vulnerability:

ā€¢ SpringShell: Spring Core RCE 0-day Vulnerability - Cyber Kendra

ā€¢ Spring4Shell: Security Analysis of the latest Java RCE ā€˜0-dayā€™ vulnerabilities in Spring | LunaSec

Could you please help me on this , that how to write the query or analysis to get the results.

The official documentation from the Spring Framework engineers

Do you have BigFix Inventory in place?

Hereā€™s a Task I created to detect where the Spring framework has been embedded in the WAR file.
We have the relevance targeting Linux hosts where Java process version is >=9

override wait
timeout_seconds=60
disposition=terminate
parameter "scriptFile" = "{parent folder of parent folder of client folder of current site}/detectSpring.sh"
delete "{parameter "scriptFile"}"
createfile until __end__ 
#!/bin/bash
test -d /var/opt/BESClient/ || mkdir -p /var/opt/BESClient/
for war in $(locate -b --regex '[.]war$'); do war_file=$(basename "$war"); echo $(file $war) | grep -qv ' directory' && mkdir -p /tmp/bigfix && cp "$war" /tmp/bigfix/ && cd /tmp/bigfix && unzip -qjun "$war_file" && if ls | egrep -q -e 'spring-beans-.*.jar' -e 'CachedIntrospectionResuLts.class'; then echo "$war"; fi; rm -rf /tmp/bigfix/*; done > /var/opt/BESClient/Spring.txt
exit 0
__end__ 
move __createfile "{parameter "scriptFile"}" 
wait chmod 555 "{parameter "scriptFile"}" 
wait /bin/bash "{parameter "scriptFile"}"

Blockquote

Property to read the output is -

if exists files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" then unique values of (it as trimmed string) of (if exists property "locked lines" then locked lines of it else lines of it) of files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" else "N/A"

3 Likes

I already tried using BFI and a search for spring-beans returns nothing. We are a software company for sure we expect results to show up.

Iā€™m not certain whether the issue is limited to spring-beans. Based on the Spring blog post at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted it seems there are potential exploits demonstrated in spring-mvc and spring-webflux.

Iā€™m still looking but we may need to widen the search.

[edit: yes, they contain spring-beans. No, I canā€™t type ā€˜spring-beans-*ā€™ without introducing a typo]

Hi Dmccalla. No we dont have Inventroy module since we had Patch module license only .

Started a topic to consolidate info at Spring Framework RCE Vulnerability ā€“ Current BigFix Actions

1 Like

I do like this method a lot, and it should provide a much faster scan for customers who have ā€˜locateā€™ installed & configured; I just donā€™t think I can depend on ā€˜locateā€™ being present for everyone.

You seen this ? https://github.com/whitesource/spring4shell-detect

thereā€™s actually a few scanners on github, i tested the qualys scanner ā€¦ looked ok