spring4shell-scanner

This scanner will recursively scan paths including archives for spring libraries and classes that are vulnerable to CVE-2022-22965 and CVE-2022-22963.

Currently the allow list defines non exploitable versions, in this case spring-beans 5.3.18 and 5.2.20 and spring cloud function context 3.2.3

Features

scans recursively through all archives in archives in archives in archives etc
scan for known spring libraries (sha256 hash)
scan for CachedIntrospectionResults.class files
fast
show related CVE's found by version
detects class files with different extensions (eg .ezclass)
scans through all layers of local- and remote docker images
binary versions available for Windows, Linux and MacOS

References

CVE	References
CVE-2022-22965	https://tanzu.vmware.com/security/cve-2022-22965
CVE-2022-22963	https://tanzu.vmware.com/security/cve-2022-22963

Links

Scanning

Usage

Windows

$ spring4shell-scanner.exe {target-path}

Linux / OSX / FreeBSD

$ spring4shell-scanner {target-path}

Docker containers

Using the tool you can now also scan containers:

$ ./spring4shell-scanner scan-image logstash:7.16.1

or local images:

$ ./spring4shell-scanner scan-image --local {sha256|pattern}
$ ./spring4shell-scanner scan-image --local log4shell:latest
$ ./spring4shell-scanner scan-image --local 4949add9e671

# scan all local images
$ ./spring4shell-scanner scan-image --local

Usage

Windows

$ spring4shell-scanner.exe patch {target-path}

Linux / OSX / FreeBSD

spring4shell-scanner patch {target-path}

Build from source

Requirements:

Go 1.16 or newer

For development

$ git clone "https://github.com/dtact/spring4shell-scanner.git"
$ go build -o ./.builds/spring4shell-scanner ./main.go

Copyright and license

Code released under the MIT license.

mikef-nl/spring4shell-scanner

spring4shell-scanner

Features

References

Scanning

Usage

Windows

Linux / OSX / FreeBSD

Docker containers

Usage

Windows

Linux / OSX / FreeBSD

Build from source

For development

Copyright and license