Spring4Shell Zero-Day Vulnerability

Vulnerability Discovered in Java Spring Framework. Check Point Customers using CloudGuard AppSec preemptive protection are fully protected from Spring4Shell Attacks

About the Spring4Shell

The Spring Framework is a programming and configuration model providing infrastructure support for developers building Java applications. Spring is one of the most popular development platform on the market, with a popularity rating of 82.7% making the potential vulnerability impact wide-spread.

This week, several vulnerabilities have been identified affecting the popular Java Spring Framework and related software components – generally referred to as Spring4Shell.

Check Point is seeing exploit attempts against the following vulnerabilities among customers in the US and in Europe:

Organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance.

Check Point CloudGuard AppSec provides pre-emptive protection against exploits of the above CVEs. No software update is required.

To ensure that you are protected by CloudGuard AppSec, the only thing you need to do is to make sure that the Web Application or Web API Best Practice of your Asset is set to the Default Prevent Mode. No updates or other settings are needed.

How it works?

Check Point CloudGuard AppSec is using a Contextual Machine Learning using a three-phase approach for detecting and preventing attacks.

Phase 1 – Payload Decoding
Effective machine learning requires a deep understanding of the underlying application protocols which is continuously evolving. The engine is analyzing all relevant fields, including HTTP headers, which are critical in this case, JSON/XML extraction and payload normalization such as base64 and other decodings. A set of parsers covering common protocols feeds the relevant data into phase 2.

Phase 2 – Attack Indicators
Following parsing and normalization, the network payload input is fed into a high-performance engine which is looking for attack indicators. An attack indicator is a pattern of exploiting vulnerabilities from various families. We derive these attack patterns based on on-going off-line supervised learning of huge number of payloads that are each assigned a score according to the likelihood of being benign or malicious. This score represents the confidence level that this pattern is part of an attack. Since combinations of these patterns can provide a better indication for an attack a score is also calculated for the combination of patterns.

In the case of Spring4Shell we had several indicators from Injection / Remote Code Execution that signaled payloads to be malicious in a very high score which was enough on its own, but to ensure accuracy and avoidance of false positives, the engine always moves to the third and last phase.

Phase 3 – Contextual Evaluation Engine

This contextual engine is using machine learning techniques to make a final determination whether the payload is malicious, in the context of a specific customer/environment, user, URL and field that in a weighted function sums up to a confidence score. If the score is larger than the threshold the request is dropped.

These are the factors that are considered by the engine:

Reputation factor
In each request, the request originator is assigned a score. The score represents the originator’s reputation based on previous requests. This score is normalized and used to increase or decrease the confidence score.

Application awareness
Often modern applications allow users to modify web pages, upload scripts, use elaborate query search syntax, etc. These provide a better user experience but without application awareness, these are detected as malicious attacks. We use ML to analyze and baseline the underlying application’s behavior.

Learn user input format
The system can identify special user input types that are known to cause false detection and apply ML to modify our detection process and allow legitimate behavior without compromising attack detection.

False detection factor
If there is an inconsistency in detection a factor is applied to the confidence score based on the reputation factor per detection location.

Supervised learning module
Optional module that shows administrators payload and ask them to classify them thus accelerating the learning process.

What’s next?

If your organization is using Java Spring and not using CloudGuard AppSec, immediately review your software and update to the latest versions by following the official Spring project guidance.

If you are already using CloudGuard AppSec, you are protected!  To start a free-trial of CloudGuard AppSec, click here.

We will continue to provide updates regarding this vulnerability to keep you informed and protected.