Spring4Shells - CVE-2022-22965 Exploit Report

Spring4Shells (CVE-2022-22965) is a critical remote code execution (RCE) vulnerability in the Spring Core framework, a widely used Java web application framework. It enables unauthenticated attackers to gain control over servers running vulnerable versions of Spring Core under certain configurations.

The vulnerability arises from the use of data binding in Spring MVC or Spring WebFlux with certain configurations. Specifically, when a Spring application is deployed as a traditional WAR package on Apache Tomcat with Java 9+, attackers can manipulate the ClassLoader via crafted HTTP parameters to write arbitrary files, including web shells, into the application’s working directory.

• T1190 – Exploit Public-Facing Application
• T1059.004 – Command and Scripting Interpreter: Java
• T1105 – Ingress Tool Transfer
• T1505.003 – Server Software Component: Web Shell

View this mapping using official MITRE ATT&CK Navigator

• Patch Spring Framework to version 5.3.18 or 5.2.20 or later
• Use Tomcat embedded deployment instead of traditional WAR
• Block suspicious HTTP requests containing class.module.classLoader or similar payloads
• Monitor for unauthorized file creation in webroot directories
• Apply WAF or reverse proxy filtering for dangerous request patterns

• VMware Spring Advisory
• NVD CVE-2022-22965
• MITRE ATT&CK: T1190