Zero-Day Exploit in Spring Framework | Spring4Shell

dleinich
Occasional Collector
1 0 2,122

All products and services have been checked and we have addressed all risks identified. Details can be found in this article. We will continue monitoring our systems and following up on any new developments in the CVEs.

We are aware of the recently disclosed security vulnerabilities in Spring, commonly referred to as Spring4Shell. Please see CVE-2022-22963 and CVE-2022-22965. These two vulnerabilities have been discovered almost at the same time and thus tend to get mixed up in the news although they have different attack vectors. 

We are actively monitoring and managing the issue and have a team working on identifying potential risks in our software components and services. This article will be updated regularly to provide information about how the vulnerability affects FirstSpirit and its ecosystem as well as details on how we handle the issue and what you can do to secure your systems. 

Be aware that this vulnerability affects many applications as it's an issue in a framework widely used. The information contained in this article is thus not showing the whole picture but is strongly focused on FirstSpirit.

Updates to this article are summarized in the changelog at the end of this article. If you have additional questions or need additional information, please contact the Technical Support team.

Table of Contents

Software as a Service (SaaS)

This section covers the use of e-Spirit products and services in a sofware-as-a-service (SaaS) environment, meaning you are a SaaS customer having e-Spirit operate your FirstSpirit ecosystem.

We identified the FirstSpirit password self service to be potentially vulnerable to exploits shortly after disclosure of the zero-day and fixed it in a matter of hours. We found no evidence that the vulnerability has in fact been exploited in this service.

✓ FirstSpirit Core

The core of FirstSprit is not affected by the vulnerabilities. 

As parts of FirstSpirit do make use of Spring we are updating the included libraries to a more recent version of Spring although that would not be necessary. The updated versions will be available in your SaaS environment shortly.

✓ CaaS (Content-as-a-Service) and Navigation Service

Both CaaS and Navigation Service are not affected by the vulnerability as these services do not use Spring.

SmartSearch

SmartSearch is using Spring. Although it is likely not vulnerable to attacks, a hardened version was deployed to customer environments on Wednesday, April 5th, in the early morning. A future release will also update the Spring libraries used to the most recent version.

✓ FirstSpirit Intelligent Content Engine (ICE)

FirstSpirit ICE is not affected by the vulnerabilities as it is not using Spring in customer facing services.

✓ FirstSpirit Modules and Product Extensions

We are actively working on identifying potential risks for FirstSpirit modules and product extensions internally as well as in collaboration with our partners.

✓ TranslationStudio

TranslationStudio by I-D Media is not using Spring so it is not affected by the vulnerabilities. See the I-D Media Security Bulletin for further information.

Webforms

Webforms by Monday Consulting is using Spring. Monday Consulting did release a new version for the 6.3 line of Webforms on Friday, April 1st, and for the 6.1 and 6.2 lines on Monday, April 4th. We have deployed the latest version including the fixes to customer environments using the standard version of Webforms on Tuesday, April 5th.

Customers using a customized version of the Webforms stack do need to update to the latest version on their own. We will reach out to these customers individually.

✓ Email Marketing / Universal Messenger

The Universal Messenger by pinuts is using Spring. Although it doesn’t seem that the vulnerabilities can be exploited, pinuts released new versions of Universal Messenger with the most recent and fixed versions of Spring in use. Updating to the latest release 7.44.1 is advised. You can download the latest versions directly from pinuts.

✓ E-Commerce Integrations

The existing e-commerce integration modules are not vulnerable. 

As part of the SAP Integrations (FirstSpirit Connect for SAP Commerce Cloud and FirstSpirit Connect (Headless) for SAP Commerce Cloud Spring is used for API calls against the SAP instance. This doesn’t open the module up for an attack vector. Nevertheless we will update the spring dependency and roll out the fixed module with the upcoming patchday.

The addon that is part of FirstSpirit Connect for SAP Commerce Cloud uses Spring as well and has a dependency to the Spring Version of the SAP Commerce Cloud instance. This implementation doesn’t include services that makes this addon vulnerable for attacks.  

ContentConnect for Salesforce, FirstSpirit Connect for Spryker Commerce OS and FirstSpirit Connect for Commerce don’t use Spring at all.

If you have modified parts of the codebase active in the commerce platform or the storefront you have to check these changes yourself. We can also not speak for the commerce platform itself, please reach out to your commerce platform provider for further information.

Project Solutions

We are proactively checking custom modules and components running in our SaaS environment for the vulnerabilities. If we think one of your project solutions is affected, we will actively reach out to you with details. As we cannot be 100% certain to detect all risks, please make sure to additionally check your custom code yourself or have your implementation partner check it.

Please see the chapter Analysing Project Solutions below to learn more about what we figured makes sense to look for on top of things you can read in several articles on the internet.

On-Premises

This section covers the use of FirstSprit on-premises, meaning that you or a service partner operates FirstSpirit and the surrounding ecosystem yourself.

✓ FirstSprit Core

The most recent versions of FirstSprit (2022.3 and 2022.4) are not affected by the vulnerabilities. 

As parts of FirstSpirit do make use of Spring we are updating the included libraries to a more recent version of Spring although that would not be necessary. The latest version 2022.4 is now available through our Technical Support team.

If you are on older versions of FirstSprit the general advice is to to update to the most recent version of FirstSpirit. Please talk to your implementation partner or our Professional Services team for further information.

✓ SmartSearch

SmartSearch is using Spring. A hardened version 3.3.3 is now available through our Technical Support team and we strongly recommend an update. A future release will also update the Spring libraries used to the most recent version.

✓ FirstSpirit Modules and Product Extensions

We are actively working on identifying potential risks for FirstSpirit modules and product extensions internally as well as in collaboration with our partners.

✓ TranslationStudio

TranslationStudio by I-D Media is not using Spring so it is not affected by the vulnerabilities. See the I-D Media Security Bulletin for further information.

✓ Webforms

Webforms by Monday Consulting is using Spring. Monday did release a new version for the 6.3 line of Webforms on Friday, April 1st, and for the 6.1 and 6.2 lines on Monday, April 4th. Updating to the latest version is strongly advised.

✓ EmailMarketing / Universal Messenger

The Universal Messenger by pinuts is using Spring. Although it doesn’t seem that the vulnerabilities can be exploited, pinuts released new versions of Universal Messenger with the most recent and fixed versions of Spring in use. Updating to the latest release 7.44.1 is advised. You can download the latest versions directly from pinuts.

✓ E-Commerce Integrations

The existing e-commerce integration modules are not vulnerable. See E-Commerce Integrations in SaaS above for details.

If you have modified parts of the codebase active in the commerce platform or the storefront you have to check these changes yourself. We can also not speak for the commerce platform itself, please reach out to your commerce platform provider for further information.

✓ SAP Business Package

The SAP Business Package is not affected by the vulnerability as it does not use any Spring components.

Project Solutions

Using the FirstSpirit API you and/or your implementation partners are able to develop FirstSpirit modules on your own, so called project solutions. As e-Spirit is not aware of the implementation details of specific on-premises project solutions, we can not provide a risk estimation.

Please see the chapter Analysing Project Solutions below to learn more about what we figured makes sense to look for on top of things you can read in several articles on the internet.

Analysing Project Solutions

We found the following details to be good hints on what to look for in your code when checking for the vulnerability. All of them need to apply to be vulnerable. Please also look for additional sources on the internet to be up-to-date on the latest developments:

  • Spring Boot <= 2.6.5 or <= 2.5.11
    · 2.6.6 and 2.5.12 already include the patched Spring version 5.3.18
  • Methods are using @RequestMapping (or @GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PatchMapping)
    · 
    Hint: Regex-Search in your IDE for: @\w+Mapping
  • Annotation does not specify allowed Content-Types or explicitly specifies application/x-www-form-urlencoded
    · 
    by using consumes = “application/json”, the attack does not work
    · consumes = “application/x-www-form-urlencoded” is problematic
  • Method parameter is a POJO (PlainOldJavaObject). Primitive types like String or boolean do not seem to be critical.
    · 
    Certain classes are safe to use, like ServletRequest, Locale or InputStream. Please consult the list mentioned in JFrog’s article SpringShell Zero-Day Vulnerability: All You Need To Know
  • Method parameters are not annotated
    · 
    Annotations like @RequestBody, @PathVariable, or @RequestParam prevent the parameter from being parsed with Form Data Binding
    · @ModelAttribute is used as the default for non-annotated parameters and causes the vulnerability

Be aware that searching your own code is not enough as there may be dependencies defining endpoints that are vulnerable. One way to find those is the following tool from JFrog: spring-tools. There is also a blog article by JFrog describing the prerequisites for being vulnerable.

Check your project solutions regarding this vulnerability and take respective measures. Do talk to your implementation partners to have them check the modules they have developed for you. Please also consider other infrastructure components not directly related to FirstSprit as they may be using vulnerable versions of Spring as well.

Further Information

We will update this article as we learn more. Please also keep an eye on this article to immediately learn about new developments.

To learn more about the vulnerability in general and how to address it in you environment we recommend the following resources:

If you have any questions regarding this matter, please contact our Technical Support team who will provide answers and help keeping your FirstSpirit system secure to our best knowledge.

Updates / Changelog

2022-04-07 10:01 UTC - Added note on the current status
2022-04-05 11:25 UTC - Updated information about Webforms in SaaS
2022-04-05 08:01 UTC - Updated information about SmartSearch in SaaS
2022-04-04 14:16 UTC - Added information about SmartSearch on-premises
2022-04-04 13:29 UTC - New versions for Webforms on-premises are now available
2022-04-04 13:24 UTC - Updated information about FirstSprit ICE
2022-04-04 13:20 UTC - Updated information about SmartSearch in SaaS
2022-04-04 13:15 UTC - FirstSpirit 2022.4 is now available
2022-04-04 09:20 UTC - Added paragraph about password self service
2022-04-04 08:14 UTC - Initial Statement