https://www.praetorian.com/blog/spring-core-jdk9-rce/ Skip To Content Toggle Menu Back * Services Services + What We Do Through expertise and engineering, Praetorian helps today's leading organizations solve complex cybersecurity problems across critical enterprise assets and product portfolios. Learn More o Cloud & Infrastructure Security Services Our security team helps to ensure that your data, cloud, networks, and other critical infrastructure is secure Learn More o Product & Application Security Services From web3 saas apps, to operating systems to crypto exchanges, our team helps secure the next wave of innovation Learn More o Hardware & IoT Security Services From medical devices, to autonomous vehicles, to home appliances, our security team helps secure both the digital and the physical world. Learn More * Labs Labs + The Praetorian Blog Keep up-to-date on cybersecurity industry trends and the latest tools & techniques from the world's foremost cybersecurity experts. Visit the Blog + Whitepapers Our whitepapers blend data and thought leadership across a range of security matters, to help you understand an issue, solve a problem, or make a decision. Read the Whitepapers + Challenges Share our passion for solving puzzles through our CTF and other cyber challenges. Explore Challenges + Github Praetorian is committed to opensourcing as much of our research as possible. Explore Development Projects * Product Product + Chariot The world's most advanced managed offensive security platform Platform Overview + Modules o Chariot Identify Attack Surface Management o Chariot Attack Continuous Automated Red Teaming o Chariot Detect Breach and Attack Simulation o Chariot Prevent Cloud Security Posture Management + Use Cases o Attack Surface Reduction o Rogue IT Identification o Subsidiary Risk Management o M&A Due Diligence o Cyberinsurance Premium Reduction o Validate Defensive Investments * Company Company + About the Company rocket launch We are on a mission to make the world a safer and more secure place, and it all starts with people. o About Us o Leadership Team o Board of Directors + Latest News Christopher F Our solutions enable clients to find, fix, stop, and ultimately solve cybersecurity problems across their entire enterprise and product portfolios. Learn about our latest achievements. o In the News o Press Releases o The Praetorian Blog o Customers Customers # Customers Twitter video 'Put the customer first and everything else will work out.' Our lifetime NPS of 92 reflects this core value commitment to our customers. @ Customer Profiles @ Video Testimonials @ NPS Satisfaction @ Customer Quotes # Featured Case Studies Melody Hildebrandt Several customers have jumped on camera to share their Praetorian experience. Check out their success stories. @ Twitter @ Zoom @ Samsung @ 21st Century Fox @ Careers Careers - Praetorian Culture [5f4e24119b1cc51bca570bf4_remote-work-500x333-1] Learn more about what it's like to work at Praetorian, our Company values, benefits, and commitment to diversity, equity, and inclusion. = Work at Praetorian = Mission = Core Values = Diversity & Inclusion - Open Positions virtual interview We are hiring! Join the brightest minds in cybersecurity, who share a passion for working hard on behalf of our clients, solving the hardest problems, and making a big impact. = Current Openings = Tech Challenges = Survival Guide = Contact Offensive Security in Attack Surface Management Spring Core on JDK9+ is vulnerable to remote code execution by Anthony Weems and Dallas Kaman on March 30, 2022 [spring] Share = LinkedIn = Twitter = Facebook Overview Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available. As we have remediation advice for customers (see below), we have elected to share this information publicly. Spring Core is a very popular Java framework for building modern Java web applications. In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted POST request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the target system. As part of our Chariot offering, we carefully monitor OSINT sources for news of potential new vulnerabilities. Based on these sources, Praetorian began research on March 29th to determine the bypass mechanism and exploit conditions. Exploitation requires an endpoint with DataBinder enabled (e.g. a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application. For example, when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk. However, if Spring is deployed using the Embedded Tomcat Servlet Container the classloader is a LaunchedURLClassLoader which has limited access. We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place. Remediation In Spring Framework, DataBinder has functionality to disallow certain patterns. As a temporary mitigation for this vulnerability, Praetorian recommends creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist. An example snippet is shown below: import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; import org.springframework.web.bind.WebDataBinder; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.InitBinder; @ControllerAdvice @Order(10000) public class BinderControllerAdvice { @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; dataBinder.setDisallowedFields(denylist); } } Offensive Security in Attack Surface Management About the Authors Anthony Weems Anthony is a Principal Security Engineer at Praetorian. View More Articles by Anthony Follow LinkedIn Dallas Kaman Dallas is a Principal Security Engineer at Praetorian. View More Articles by Dallas If you like this, you might like . . . = Chariot in Attack Surface Management Ides of March - Chariot's Launch Day March 15, 2022 = Offensive Security in Nuclei 23 and Me: Offensive DNA and Nuclei Templates March 15, 2022 = Defensive Security in APT North Korean Lazarus APT phishing defense contractors February 03, 2022 Got a problem? We'd love to solve it! Get in Touch = LinkedIn = Twitter = Facebook = Github = Youtube Praetorian = Services x Corporate Security x Product & Application Security x Critical Infrastructure Security x IoT Security x Mobile Security x Network Security x Penetration Testing x Cloud Security % Industry Security Solutions * Automotive Industry * Financial Services Sector * Healthcare Security * Energy Sector * Manufacturing Security = Chariot Platform x Chariot Identify x Chariot Attack x Chariot Prevent x Chariot Detect x Schedule a Demo % Chariot Use Cases * Attack Surface Reduction * Validate Defensive Investments * Manage Subsidiary Risk * M&A Due Diligence * Rogue IT Identification * Bug Bounty Reduction * Cyber Insurance Premium Reduction * Ransomware Prevention = Company x Overview x Who We Are x News & Press x Careers x Contact % Labs * The Praetorian Blog * Whitepapers * Challenges * GitHub (c) 2022 All Rights Reserved. = Privacy Policy = Responsible Disclosure Policy We don't support Internet Explorer Please use Chrome, Safari, Firefox, or Edge to view this site.