Spring4Shell
Spring Core Framework 제로데이 취약점
RCE(Remote Code Execution) 공격 가능
VMWARE 리포트 (https://tanzu.vmware.com/security/cve-2022-22965)
Spring Framework RCE, Early Announcement
<p><strong>Updates</strong> </p> <ul> <li><strong>[04-01 16:35 BST]</strong> Updated <a href="#am-i-impacted">Am I Impacted</a> with additional notes</li> <li><strong>[04-01 13:05 BST]</strong> Updated <a href="#suggested-workarounds">Suggested Workarounds
spring.io
CVE-2022-22965(Spring4Shell)
익스플로잇 전제 조건
- JDK 9 이상
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
영향을 받는 버전
- Spring Framework 5.3.0 ~ 5.3.17
- Spring Framework 5.2.0 ~ 5.2.19 및 이전 버전
spring4shell 테스트 환경
GitHub - jbaines-r7/spring4shell_vulnapp: Intentionally Vulnerable to Spring4Shell
Intentionally Vulnerable to Spring4Shell. Contribute to jbaines-r7/spring4shell_vulnapp development by creating an account on GitHub.
github.com
spring4shell POC
GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965
1111111
Spring4Shell Proof Of Concept/Information CVE-2022-22965 - GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965
github.com