Understanding Spring4Shell RCE from an engineer’s perspective

What happened?

On March 29, 2022, A very old RCE (remote code execution) loophole tracked as CVE-2010-1622 was exposed in a series of Tweets. It affects most java projects using JDK 9+. This loophole enables attackers to exploit the server…


This content originally appeared on DEV Community and was authored by Canming Jiang

Software-developer-holds-the-pen-pointing-to-the-computer-screen-and-is-analyzing-the-code

What happened?

On March 29, 2022, A very old RCE (remote code execution) loophole tracked as CVE-2010-1622 was exposed in a series of Tweets. It affects most java projects using JDK 9+. This loophole enables attackers to exploit the server by executing a command on a server carried in a HTTP request.

Who should worry about this vulnerability?

If your project meets all conditions below, then you should take a serious look into this:

  • JDK 9+
  • Imported spring-webmvc dependency
  • Deployed as WAR but not JAR
  • Apache Tomcat as the Servlet container (the only container confirmed exploit currently)

How did this happen?

Before explaining more details, let’s first start with a simple API defined in SpringMVC controller.

@Controllerpublic class DemoController {

    @PostMapping("/animals")
    @ResponseBody
    public Map<String, Object> importAnimalIntoZoo(Animal animal) {
        HashMap<String, Object> response = new HashMap<>();
        response.put("data", animal);
        return response;
    }
}

read more...


This content originally appeared on DEV Community and was authored by Canming Jiang


Print Share Comment Cite Upload Translate Updates
APA

Canming Jiang | Sciencx (2022-04-07T18:16:11+00:00) Understanding Spring4Shell RCE from an engineer’s perspective. Retrieved from https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/

MLA
" » Understanding Spring4Shell RCE from an engineer’s perspective." Canming Jiang | Sciencx - Thursday April 7, 2022, https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/
HARVARD
Canming Jiang | Sciencx Thursday April 7, 2022 » Understanding Spring4Shell RCE from an engineer’s perspective., viewed ,<https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/>
VANCOUVER
Canming Jiang | Sciencx - » Understanding Spring4Shell RCE from an engineer’s perspective. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/
CHICAGO
" » Understanding Spring4Shell RCE from an engineer’s perspective." Canming Jiang | Sciencx - Accessed . https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/
IEEE
" » Understanding Spring4Shell RCE from an engineer’s perspective." Canming Jiang | Sciencx [Online]. Available: https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/. [Accessed: ]
rf:citation
» Understanding Spring4Shell RCE from an engineer’s perspective | Canming Jiang | Sciencx | https://www.scien.cx/2022/04/07/understanding-spring4shell-rce-from-an-engineers-perspective/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts