- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older versions
- Java JDK 9
- Apache Tomcat versions below 10..0.20, 9.0.62, and 8.5.78
- Applications that are packaged as a traditional WAR with spring-webmvc or spring-webflux dependency and deployed on a standalone Servlet container alone are affected
- The issue can be elevated by classLoader manipulation
- Improper data binding that is used to populate an object from request parameters (Request Mapping annotation) causes this vulnerability
- Attackers can load arbitrary classes and can inject arbitrary code that can be executed by the application
- A similar vulnerability (CVE-2010-1622) had been disclosed earlier and patches have been applied to restrict
class.classLoaderandclass.protectionDomain - But JDK9 introduced a new method
class.getMethod(), which bypasses that restriction by usingclass.module.classLoaderto access any child property of class object
- Successful exploitation of this vulnerability can lead to arbitrary code execution on the vulnerable machine.
- gokul-ramesh/Spring4Shell-POC (forked from lunasec-io/Spring4Shell-POC )
- Clone the repository and build the application
docker build . -t spring4shell-poc-app
Else get the docker image from [gokul2/spring4shell-poc]
docker pull gokul2/spring4shell-poc-app
- Bring up the application
docker run -p 8080:8080 spring4shell-poc-app
- The application will be available at localhost:8080 now.
- Run the exploit.py file