공부

Spring4shell 제로데이 취약점 POC

푸쥬 ! 2022. 4. 2. 17:36
반응형

Spring4Shell

Spring Core Framework 제로데이 취약점

RCE(Remote Code Execution) 공격 가능

 

VMWARE 리포트 (https://tanzu.vmware.com/security/cve-2022-22965)

 

Spring Framework RCE, Early Announcement

<p><strong>Updates</strong> </p> <ul> <li><strong>[04-01 16:35 BST]</strong> Updated <a href="#am-i-impacted">Am I Impacted</a> with additional notes</li> <li><strong>[04-01 13:05 BST]</strong> Updated <a href="#suggested-workarounds">Suggested Workarounds

spring.io

CVE-2022-22965(Spring4Shell)

익스플로잇 전제 조건

- JDK 9 이상
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency

 

영향을 받는 버전

- Spring Framework 5.3.0 ~ 5.3.17

- Spring Framework 5.2.0 ~ 5.2.19 및 이전 버전

 

spring4shell 테스트 환경

 

GitHub - jbaines-r7/spring4shell_vulnapp: Intentionally Vulnerable to Spring4Shell

Intentionally Vulnerable to Spring4Shell. Contribute to jbaines-r7/spring4shell_vulnapp development by creating an account on GitHub.

github.com

 

spring4shell POC

 

GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965

1111111

Spring4Shell Proof Of Concept/Information CVE-2022-22965 - GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965

github.com

 

728x90