16% of organizations worldwide impacted by Spring4Shell Zero-day vulnerability exploitation attempts since outbreak
05/04/2022 06:30 ET
Highlights:
- In the first weekend since the vulnerability was found Check Point Research spots ~37K attempts to allocate the Spring4Shell vulnerability
- During the first 4 days 16% of the organizations worldwide were impacted by exploitation attempts
- Software vendors are the most impacted industry where 28% of the organization were impacted
- The most impacted region seen is Europe, with an impact of 20%
- Check Point customers remain protected, vulnerability does not affect our Infinity portfolio
Last week it was reported that critical vulnerabilities (CVE-2022-22947 / CVE-2022-22965 / CVE-2022-22963) found in the open source Spring Framework – a programming and configuration model providing infrastructure support for developers building Java applications.
In our previous report we’ve detailed that organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance.
In addition we’ve reported that Check Point CloudGuard AppSec provides pre-emptive protection against exploits of the above CVEs which means no software update is required and that these users are protected.
Today, a week post the outbreak we share numbers intercepted by our telemetry regarding global distribution of exploitation attempts of these vulnerabilities.
In the first weekend of since the vulnerability was found we’ve seen ~37K attempts to allocate the Spring4Shell vulnerability.
Figure 1: Vulnerability Allocation Attempts Since Outbreak
During the first 4 days after the vulnerability outbreak 16% of the organizations worldwide were impacted by exploitation attempts. The most impacted region seen is Europe, with an impact of 20%.
Figure 2: % Impacted organization per region
The most impacted industry is software vendor where 28% of the organization were impacted by the vulnerability.
Figure 3: % Impacted Organization per industry
If your organization is using Java Spring and not using CloudGuard AppSec, immediately review your software and update to the latest versions by following the official Spring project guidance.
If you are already using CloudGuard AppSec, you are protected! No software update is required.
To ensure that you are protected by CloudGuard AppSec, the only thing you need to do is to make sure that the Web Application or Web API Best Practice of your Asset is set to the Default Prevent Mode. No updates or other settings are needed.
The Check Point Infinity architecture is protected against this threat. We verified that this vulnerability does not affect our Infinity portfolio (including Quantum Gateways, SMART Management, Harmony Endpoint, Harmony Mobile, SMB, ThreatCloud and CloudGuard).
Check Point Products Status
Product | Status |
Quantum Security Gateway | Not vulnerable |
Quantum Security Management | Not vulnerable |
CloudGuard | Not vulnerable |
Infinity Portal | Not vulnerable |
Harmony Endpoint & Harmony Mobile | Not vulnerable |
Harmony Connect | Not vulnerable |
SMB | Not vulnerable |
ThreatCloud | Not vulnerable |
Notes:
– All Check Point’s software versions including out of support versions are not vulnerable.
– All appliances are not vulnerable.
IPS protections
Check Point released these IPS protections:
- Spring Core Remote Code Execution (CVE-2022-22965)
- Spring Cloud Function Remote Code Execution (CVE-2022-22963)
- Spring Cloud Gateway Remote Code Execution (CVE-2022-22947)
Check Point recommends activating HTTPS Inspection (in the Security Gateway properties -> HTTPS Inspection view), as the attack payload may appear in encrypted or decrypted traffic.
Harmony Endpoint Linux and CloudGuard Containers Security have been automatically updated by Check Point protections
Harmony Endpoint for Linux Protection
- Exploit_Linux_Spring4Shell_B
CloudGuard Containers Security Protection
- Exploit_Linux_Spring4Shell_A
CloudGuard Posture Management
Check Point added these CSPM rules to the Azure CloudGuard Best Practices ruleset:
- D9.AZU.CRY.30 – Ensure that Spring Cloud App has end-to-end TLS enabled
- D9.AZU.CRY.31 – Ensure that Spring Cloud App enforces HTTPS connections
- D9.AZU.IAM.33 – Ensure that Spring Cloud App has system-assigned managed identity enabled