{"id":18668,"date":"2022-04-04T18:00:34","date_gmt":"2022-04-05T02:00:34","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/04\/news-12401\/"},"modified":"2022-04-04T18:00:34","modified_gmt":"2022-04-05T02:00:34","slug":"news-12401","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/04\/news-12401\/","title":{"rendered":"SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965"},"content":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Tue, 05 Apr 2022 01:11:24 +0000<\/strong><\/p>\n<p>Recently, several remote code execution (RCE) vulnerabilities in the Spring Framework for Java were <a href=\"https:\/\/www.springcloud.io\/post\/2022-03\/spring-framework-rce-early-announcement\/#gsc.tab=0\" target=\"_blank\" rel=\"noreferrer noopener\">publicly disclosed<\/a>. Microsoft is currently assessing the impact associated with these vulnerabilities. This blog is for customers who are looking for protections against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22965\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-22965<\/a> (referred to in the security community as SpringShell or Spring4Shell).<\/p>\n<p>The Spring Framework is the most widely used lightweight open-source framework for Java. In versions Java Development Kit (JDK) 9.0 and later of the Spring Framework, a remote attacker can obtain an <em>AccessLogValve <\/em>object through the framework\u2019s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met.\u00a0<\/p>\n<p>The vulnerability in Spring Core\u2014known as SpringShell or Spring4Shell (CVE-2022-22965)\u2014can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework.\u00a0There are other vulnerabilities disclosed in the same component which are less critical and not tracked as part of this blog.<\/p>\n<p>Impacted systems have the following traits:<\/p>\n<ul>\n<li>Running JDK 9.0 or later<\/li>\n<li>Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.<\/li>\n<li>Apache Tomcat as the Servlet container<\/li>\n<li>Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.<\/li>\n<li>Tomcat has <em>spring-webmvc<\/em> or <em>spring-webflux<\/em> dependencies<\/li>\n<\/ul>\n<h3>Is your system exploitable?<\/h3>\n<p>Any system using JDK 9.0 or later, and any system using the Spring Framework or derivative frameworks should be considered vulnerable. The following nonmalicious command can be used to test if your system is vulnerable to the specific attack outlined in the following section:<\/p>\n<pre class=\"wp-block-preformatted\">$ curl host:port\/path?class.module.classLoader.URLs%5B0%5D=0<\/pre>\n<p>A host that returns a HTTP 400 response should be considered vulnerable to the attack outlined in the proof of concept (POC).<\/p>\n<p>Although this test is a good indicator of a system\u2019s susceptibility to this attack, any system within the scope of the impacted systems list above should still be considered vulnerable.<\/p>\n<p>The <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.microsoft.com\/azure\/defender-for-cloud\/deploy-vulnerability-assessment-tvm\">threat and vulnerability management<\/a> console within <a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/microsoft-365-defender\">Microsoft 365 Defender<\/a> provides detection and reporting for this vulnerability.<\/p>\n<h2>Observed activity<\/h2>\n<p>Microsoft regularly monitors attacks against our cloud infrastructure and services to better defend them. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for both the Spring Cloud and Spring Core vulnerabilities.\u00a0For CVE-2022-22965, the attempts closely align with the basic web shell POC that is described in this post.<\/p>\n<h2>Attack breakdown<\/h2>\n<p>CVE-2022-22965 affects functions that use request mapping annotation and Plain Old Java Object (POJO) parameters within the Spring Framework. The POC code creates a controller that when loaded into Tomcat, handles HTTP requests. <\/p>\n<p>The only publicly available working POC is specific to Tomcat server&#8217;s logging properties via the <em>ClassLoader<\/em> module in the <em>propertyDescriptor<\/em> cache.&nbsp;The attacker can update the <em>AccessLogValve<\/em> class using the module, to create a web shell in the Tomcat root directory called <em>shell.jsp<\/em>. The attacker can then change the default access logs to a file of their choosing.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"436\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig1-poc-screenshot.png\" alt=\"Screenshot of an application UI with lines of code. One of said code lines is highlighted, with an annotation written in a non-English language.\" class=\"wp-image-110718\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig1-poc-screenshot.png 801w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig1-poc-screenshot-300x163.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig1-poc-screenshot-768x418.png 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><figcaption>Figure 1. Screenshot from the original POC code post<\/figcaption><\/figure>\n<p>The changes to <em>AccessValveLog<\/em> can be achieved by an attacker who can use HTTP requests to create a <em>.jsp<\/em> file in the service\u2019s root directory. In the example below, each GET parameter is set as a Java object property. Each GET request then executes a Java code resembling the example below, wherein the final segment \u201csetPattern\u201d would be unique for each call (such as setPattern, setSuffix, setDirectory, and others):&nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"797\" height=\"54\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet1.png\" alt=\"Screenshot of Java codes of an actual exploit.\" class=\"wp-image-110721\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet1.png 797w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet1-300x20.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet1-768x52.png 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"799\" height=\"106\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig2-poc-screenshot.png\" alt=\"Screenshot of several lines of HTTP URLs.\" class=\"wp-image-110724\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig2-poc-screenshot.png 799w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig2-poc-screenshot-300x40.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig2-poc-screenshot-768x102.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\" \/><figcaption>Figure 2. Screenshot from the original POC code post<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"840\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig3-poc-screenshot.png\" alt=\"Screenshot of an application UI with lines of code.\" class=\"wp-image-110730\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig3-poc-screenshot.png 800w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig3-poc-screenshot-286x300.png 286w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/fig3-poc-screenshot-768x806.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption>Figure 3. Screenshot from the original POC code post<\/figcaption><\/figure>\n<p>The <em>.jsp<\/em> file now contains a payload with a password-protected web shell with the following format:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"797\" height=\"120\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet3.png\" alt=\"Screenshot of the payload's web shell code.\" class=\"wp-image-110733\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet3.png 797w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet3-300x45.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/springshell-code-snippet3-768x116.png 768w\" sizes=\"auto, (max-width: 797px) 100vw, 797px\" \/><\/figure>\n<p>The attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code.<\/p>\n<h2>The vulnerability and exploit in depth<\/h2>\n<p>The vulnerability in Spring results in the ability of a client, in some cases, to modify sensitive internal variables inside the web server or application, by carefully crafting the HTTP request.<\/p>\n<p>In the case of the Tomcat web server, the vulnerability allowed for that manipulation of the Access Log to be placed in an arbitrary path, with somewhat arbitrary contents. The POC above sets the contents to be a JSP webshell and the path inside the Tomcat&#8217;s web application ROOT directory, which essentially drops a reverse shell inside of Tomcat. For the web application to be vulnerable, it needs to use Spring\u2019s request mapping feature, with the handler function receiving a Java object as a parameter.<\/p>\n<h3>Background<\/h3>\n<h4>Request mapping and request parameter binding<\/h4>\n<p>Spring allows developers to map HTTP requests to Java handler methods. The web application&#8217;s developer can ask Spring to call an appropriate handler method each time a user requests a specific URI. For instance, the following web application code will cause Spring to invoke the method <em>handleWeatherRequest<\/em> each time a user requests the uri <em>\/WeatherReport<\/em>:<\/p>\n<pre class=\"wp-block-preformatted\"><code>@RequestMapping(\u201c\/WeatherReport\u201d)<\/code> public string handleWeatherRequest(Location reportLocation) { \u2026 }<\/pre>\n<p>Moreover, through request parameter binding, the handler method can accept arguments passed through parameters in GET\/POST\/REST requests. In the above example, Spring will instantiate a <em>Location<\/em> object, initialize its fields according to the HTTP request\u2019s parameters, and pass it on to handleWeatherRequest. So, if for instance, <em>Location<\/em> will be defined as:<\/p>\n<pre class=\"wp-block-preformatted\"><code>class Location<br>{<br>&nbsp;&nbsp;&nbsp; public void setCountry(string country) {\u2026}<br>&nbsp;&nbsp;&nbsp; public void setCity(string city) {\u2026}<br>&nbsp;&nbsp;&nbsp; public string getCountry() {\u2026}<br>&nbsp;&nbsp;&nbsp; public string getCity() {\u2026}<br>}<\/code><\/pre>\n<p>If we issue an HTTP request:<\/p>\n<pre class=\"wp-block-preformatted\"><code>example.com\/WeatherReport?country=USA&amp;city=Redmond<\/code><\/pre>\n<p>The resulting call to <em>handleWeatherRequest<\/em> will automatically have a <em>reportLocation<\/em> argument with country set to USA and city set to Redmond. <\/p>\n<p>If <em>Location<\/em> had a sub-object named <em>coordinates<\/em>, which contained <em>longitude<\/em> and <em>latitude<\/em> parameters, then Spring would try and initialize them out of the parameters of an incoming request. For example, when receiving a request with GET params <em>coordinates.longitude=123&amp;coordinate.latitude=456<\/em> Spring would try and set those values in the <em>coordinates<\/em> member of <em>location<\/em>, before handing over control to <em>handleWeatherRequest<\/em>.<\/p>\n<p>The SpringShell vulnerability directly relates to the process Spring uses to populate these fields.<\/p>\n<h4>The process of property binding<\/h4>\n<p>Whenever Spring receives an HTTP request that is mapped to a handler method as described above, it will try and bind the request\u2019s parameters, for each argument in the handler method. Now, to stick with the previous example, a client asked for:<\/p>\n<pre class=\"wp-block-preformatted\"><code>example.com\/WeatherReport?x.y.z=foo<\/code><\/pre>\n<p>Spring would instantiate the argument (in our case create a <em>Location<\/em> object). Then it breaks up the parameter name by dots (.), and tries to do a series of steps:<\/p>\n<ol type=\"1\">\n<li>Using Java introspection map all accessors and mutators in <em>location<\/em>.<\/li>\n<li>If location has a getX<em>()<\/em> accessor, call it to get the <em>x<\/em> member of location.<\/li>\n<li>Using Java introspection map all accessors and mutators in the<em> x<\/em> object.<\/li>\n<li>If the <em>x<\/em> object has a <em>getY<\/em>() accessor, call it to get the <em>y<\/em> object inside of the <em>x<\/em> object.<\/li>\n<li>Using Java introspection map all accessors and mutators in the<em> y<\/em> object.<\/li>\n<li>If the <em>y<\/em> object has a <em>setZ()<\/em> mutator, call it with parameter <em>\u201cfoo\u201d<\/em>.<\/li>\n<\/ol>\n<p>So essentially, ignoring the details, we get <em>location.getX().getY().setZ(\u201cfoo\u201d)<\/em>.<\/p>\n<h3>The vulnerability and its exploitation<\/h3>\n<h4>Prelude: CVE-2010-1622<\/h4>\n<p>In June 2010, a CVE was <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2010-1622\" target=\"_blank\" rel=\"noreferrer noopener\">published<\/a> for the Spring framework. The crux of the CVE was as follows:<\/p>\n<ol type=\"1\">\n<li>All Java objects implicitly contain a <em>getClass()<\/em> accessor that returns the <em>Class<\/em> describing the class of the object.<\/li>\n<li><em>Class<\/em> objects have a <em>getClassLoader()<\/em> accessor the gets the <em>ClassLoader<\/em> object.<\/li>\n<li>Tomcat uses its own class loader for its web applications. This class loader contains various members that can affect Tomcat\u2019s behavior. One such member is <em>URLs<\/em>, that is an array of URLs the class loader uses to retrieve resources from.<\/li>\n<li>Overwriting one of the URLs with a URL to a remote JAR file would cause Tomcat to subsequently load the JAR from an attacker-controlled location.<\/li>\n<\/ol>\n<p>The bug was fixed in Spring by preventing the mapping of the <em>getClassLoader()<\/em> or <em>getProtectionDomain()<\/em> accessors of <em>Class<\/em> objects during the property binding phase. Hence <em>class.classLoader<\/em> would not resolve, thwarting the attack.<\/p>\n<h4>The current exploit: CVE-2022-22965<\/h4>\n<p>The current exploit leverages the exact same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules. An accessor was added to the <em>Class<\/em> object, called <em>getModule()<\/em>. The <em>Module<\/em> object contains a <em>getClassLoader()<\/em> accessor. Since the CVE-2010-1622 fix only prevented mapping the <em>getClassLoader()<\/em> accessor of <em>Class<\/em> objects, Spring mapped the <em>getClassLoader()<\/em> accessor of the <em>Module<\/em> object. Once again one could reference the class loader from Spring, via the <em>class.module.classLoader<\/em> parameter name prefix.<\/p>\n<h4>From ClassLoader to AccessLogValve<\/h4>\n<p>The latest exploit uses the same accessor chaining, via the Tomcat class loader, to drop a JSP web shell on the server.<\/p>\n<p>This is done by manipulating the properties of the AccessLogValve object in Tomcat\u2019s pipeline. The AccessLogValve is referenced using the <em>class.module.classLoader.resources.context.parent.pipeline.first<\/em> parameter prefix.<\/p>\n<p>The following properties are changed:<\/p>\n<ol type=\"1\">\n<li>Directory \u2013 The path where to store the access log, relative to Tomcat\u2019s root directory. This can be manipulated to point into a location accessible by http requests, such as the web application\u2019s directory.<\/li>\n<li>Prefix \u2013 The prefix of the access log file name<\/li>\n<li>Suffix \u2013 The suffix of the access log file name. The log file name is a concatenation of the prefix with the suffix.<\/li>\n<li>Pattern \u2013 A string that describes the log record structure. This can be manipulated so that each record will essentially contain a JSP web shell.<\/li>\n<li>FileDateFormat \u2013 Setting this causes the new access log settings to take effect.<\/li>\n<\/ol>\n<p>Once the web shell is dropped on the server, the attacker can execute commands on the server as Tomcat.<\/p>\n<h2>Discovery and mitigations<\/h2>\n<h3>How to find the vulnerability<\/h3>\n<p id=\"workarounds\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/threat-vulnerability-management\" target=\"_blank\" rel=\"noreferrer noopener\">Threat and vulnerability management<\/a> capabilities in Microsoft Defender for Endpoint monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities. Customers can now search for CVE-2022-22965 to find vulnerable devices through the <a href=\"https:\/\/securitycenter.microsoft.com\/vulnerabilities?search=CVE-2022-22965\" target=\"_blank\" rel=\"noreferrer noopener\">Weaknesses<\/a> page in threat and vulnerability management.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"975\" height=\"220\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/image.png\" alt=\"Screenshot of Weaknesses page where you can search for CVE-2022-22965 to find vulnerable devices.\" class=\"wp-image-110844\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/image.png 975w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/image-300x68.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/04\/image-768x173.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><figcaption>Figure 4. Weaknesses page in Microsoft Defender for Endpoint<\/figcaption><\/figure>\n<h3>Patch information and workarounds<\/h3>\n<p>Customers are encouraged to apply these mitigations to reduce the impact of this threat. Check the recommendations card in Microsoft 365 Defender threat and vulnerability management for the deployment status of monitored mitigations<\/p>\n<p>Apply the following mitigations to reduce the impact of this threat:<\/p>\n<ul>\n<li>An <a href=\"https:\/\/spring.io\/blog\/2022\/03\/31\/spring-boot-2-6-6-available-now\" target=\"_blank\" rel=\"noreferrer noopener\">update<\/a> is available for <a href=\"https:\/\/tanzu.vmware.com\/security\/cve-2022-22965\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-22965<\/a>. Administrators should upgrade to versions 5.3.18 or later or 5.2.19 or later. If the patch is applied, no other mitigation is necessary.<\/li>\n<\/ul>\n<p>If you\u2019re unable to patch CVE-2022-22965, you can implement this set of workarounds published by <a href=\"https:\/\/www.springcloud.io\/post\/2022-03\/spring-framework-rce-early-announcement\/#gsc.tab=0\" target=\"_blank\" rel=\"noreferrer noopener\">Spring<\/a>:<\/p>\n<ul>\n<li>Search the @InitBinder annotation globally in the application to see if the dataBinder.setDisallowedFields method is called in the method body. If the introduction of this code snippet is found, add <code>{\"class.*\",\"Class.*\",\"*.class.*\", \"*.Class.*\"}<\/code> to the original blacklist. (<strong>Note:<\/strong> If this code snippet is used a lot, it needs to be appended in each location.)<\/li>\n<li>Add the following global class into the package where the Controller is located. Then recompile and test the project for functionality:<\/li>\n<\/ul>\n<pre class=\"wp-block-preformatted\">import org.springframework.core.annotation.Order;         import org.springframework.web.bind.WebDataBinder;         import org.springframework.web.bind.annotation.ControllerAdvice;         import org.springframework.web.bind.annotation.InitBinder;         @ControllerAdvice         @Order(10000)         public class GlobalControllerAdvice{              @InitBinder              public void setAllowedFields(webdataBinder dataBinder){              String[]abd=new string[]{\"class.*\",\"Class.*\",\"*.class.*\",\"*.Class.*\"};              dataBinder.setDisallowedFields(abd);              }         }<\/pre>\n<h2>Detections<\/h2>\n<h3>Microsoft 365 Defender<\/h3>\n<h4>Endpoint detection and response (EDR)<\/h4>\n<p>Alerts with the following title in the security center can indicate threat activity on your network:<\/p>\n<ul>\n<li>Possible SpringShell exploitation<\/li>\n<\/ul>\n<p>The following alerts for an observed attack, but might not be unique to exploitation for this vulnerability:<\/p>\n<ul>\n<li>Suspicious process executed by a network service<\/li>\n<\/ul>\n<h4>Antivirus<\/h4>\n<p>Microsoft Defender antivirus version <strong>1.361.1234.0<\/strong> or later detects components and behaviors related to this threat with the following detections:<\/p>\n<ul>\n<li>Trojan:Python\/SpringShellExpl<\/li>\n<li>Exploit:Python\/SpringShell<\/li>\n<li>Backdoor:PHP\/Remoteshell.V<\/li>\n<\/ul>\n<h3>Hunting<\/h3>\n<h4>Microsoft 365 Defender advanced hunting queries&nbsp;<\/h4>\n<p>Use the query below to surface exploitation of CVE-2022-22965 on both victim devices and devices performing the exploitation. Note that this query only covers HTTP use of the exploitation and not HTTPS.<\/p>\n<pre class=\"wp-block-preformatted\">DeviceNetworkEvents | where ActionType =~ \"NetworkSignatureInspected\" | where AdditionalFields contains \".jsp?pwd=\" and AdditionalFields contains \"&amp;cmd=\" | summarize makeset(AdditionalFields, 5), min(Timestamp), max(Timestamp) by DeviceId, DeviceName<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/04\/04\/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965\/\">SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/04\/04\/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Paul Oliveria| Date: Tue, 05 Apr 2022 01:11:24 +0000<\/strong><\/p>\n<p>Microsoft provides guidance for customers looking for protections against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/04\/04\/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965\/\">SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500,22453,25599,25600,10752],"class_list":["post-18668","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity","tag-microsoft-security-intelligence","tag-spring-framework","tag-springshell","tag-vulnerabilities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18668"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18668\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18668"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}