Spring Core and Cloud Function SpEL RCEs

On March 29, 2022, information about a 0-day vulnerability in the popular Java library Spring Core appeared on Twitter. Spring Framework is an extremely popular framework used by Java developers to build modern applications. If you rely on the Java stack, it is very likely that your development teams use Spring. In some cases, a single specially crafted request is enough to exploit the vulnerability. Later, it was discovered that these are two separate vulnerabilities, one in Spring Core and the other in Spring Cloud Function: **CVE-2022-22965 - RCE in "Spring Core" is a severe vulnerability, aka Spring4Shell** **CVE-2022-22963 - RCE in "Spring Cloud Function SpEL"** **CVE-2022-22947 - RCE in "Spring Cloud Gateway"** **Spring Core vulnerability requirements:** * JDK 9 or higher * Apache Tomcat as the Servlet container * Packaged as WAR * spring-webmvc or spring-webflux dependency * Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions **Spring Cloud Function unaffected versions:** * 3.1.7 * 3.2.3 **This playbook will provide you with a first response kit which includes:** * Hunting * Panorama * Prisma Cloud Compute * XDR XQL queries - set the playbook input **RunXQLHuntingQueries** to 'True' if you would like the XQL to be executed via the playbook. * XDR Alerts - Search for new incidents including one or more of Spring RCEs dedicated Cortex XDR signatures * Remediation * Mitigations **Note:** You can execute this playbook using the Incidents view by creating a new incident or by using a dedicated job to schedule the playbook execution. **Additional resources:** [Spring Framework RCE](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement) [CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild ](https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/)

Spring Core and Cloud Function SpEL RCEs · 51 tasks · 6 inputs · 0 outputs

Inputs

  • RelatedCVEs — The vulnerability assigned CVE.
  • PlaybookDescription — The playbook description. Will be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • AutoCloseIncident — Whether to close the incident automatically or continue with manual investigation.
  • BlockIndicatorsAutomatically — Whether to block the indicators automatically.
  • RunXQLHuntingQueries — Whether to hunt using XQL queries.
  • XQLTimeFrame — The XQL search time frame. Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00").

Commands used

closeInvestigation createNewIndicator prisma-cloud-config-search redlock-get-rql-response xdr-xql-generic-query

Flowchart

yes yes yes yes yes yes yes yes no yes yes yes yes Start Start Collect Detection Rules Collect Detection Rules Download Yara Rules - http Download Yara Rules http Tag, Link and Enrich CVE Tag, Link and Enrich CVE Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Threat Hunting Threat Hunting Panorama Query Logs - Panorama Query Logs Panorama Query Logs Panorama Query Logs Mitigation Mitigation Deploy Detection Rules Deploy Detection Rules Patch Vulnerability Patch Vulnerability Install Spring Cloud Function unaffected version Install Spring Cloud Func... Deploy Yara rules Deploy Yara rules Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Remediation Remediation Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually Block IP - Generic v3 - Block IP - Generic v3 Block IP - Generic v3 Block IP - Generic v3 CVE Enrichment - Generic v2 - CVE Enrichment - Generic v2 CVE Enrichment - Generic v2 CVE Enrichment - Generic v2 Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Spring4Shell Scanner Spring4Shell Scanner Download Spring scanner - http Download Spring scanner http Scan your applications Scan your applications Spring Core RCE Scanner Spring Core RCE Scanner Install Spring Framework and Boot unaffected versions Install Spring Framework ... Prisma Cloud Prisma Cloud Is Prisma Cloud enabled? Is Prisma Cloud enabled? Search for possible vulnerable servers - redlock-get-rql-response Search for possible vulne... redlock-get-rql-response Review possible vulnerable servers Review possible vulnerabl... Found servers using Prisma Cloud? Found servers using Prism... Palo Alto Networks Hunting Palo Alto Networks Hunting CVE Hunt CVE Hunt XQL Hunting Queries XQL Hunting Queries Should run XQL hunting queries? Should run XQL hunting qu... Check if Cortex XDR - XQL Query Engine is Enabled - IsIntegrationAvailable Check if Cortex XDR - XQL... IsIntegrationAvailable Detect Spring4shell POC usage - xdr-xql-generic-query Detect Spring4shell POC u... xdr-xql-generic-query Detect suspicious processes spawned by Java or Apache - xdr-xql-generic-query Detect suspicious process... xdr-xql-generic-query Cortex XDR Cortex XDR XDR Alerts XDR Alerts Is Cortex XDR Investigation & Response enabled? Is Cortex XDR Investigati... Search XDR incidents for Spring RCEs activity - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Check if related incidents were found Check if related incident... Manual review affected endpoints Manual review affected en... Search for internet exposed vulnerable hosts that are receiving traffic - redlock-get-rql-response Search for internet expos... redlock-get-rql-response Search for Vulnerable hosts on Prisma Cloud - prisma-cloud-config-search Search for Vulnerable hos... prisma-cloud-config-search Search for internet facing exposed vulnerable hosts that are receiving traffic - prisma-cloud-config-search Search for internet facin... prisma-cloud-config-search