Make writing a habit together! This is the fifth day of my participation in the “Gold Digging Day New Plan · April More text Challenge”. Click here for more details.
Holes that
Where can you see the spring bug this time? Let’s go straight to the Spring website. The blog module will be able to see the official spring documentation.
On March 30, 2022, Spring framework exposed RCE 0Day vulnerability, Spring framework remote command execution vulnerability (CNVD-2022-23942) has been included in the National Information Security Vulnerability Sharing Platform (CNVD), considering the wide application of Spring framework, vulnerability was rated as dangerous.
This vulnerability can be used to write webshells and execute commands. In JDK9 (or later) of the Spring framework, a remote attacker can use the framework’s parameter binding function to obtain AccessLogValve objects and such malicious field values on the basis of certain conditions, thus triggering the pipeline mechanism and writing to files in arbitrary paths. For those of you who don’t know what this AccessLogValve object is, we all use it a lot. I just didn’t notice:
In tomcat’s server.xml file, AccessLogValve is the logging class used to log container access requests. The AccessLogValve handles generating access logs. The idea is to dynamically modify the parameter value of this object, then write the specified file (such as JSP file) to the container, and then write shell script commands from the written file to execute.
Hole conditions
-
Apache Tomcat as a Servlet container;
-
Use JDK9 or above Spring MVC framework;
-
The framework of the Spring framework and derivative Spring beans – *. Jar file or CachedIntrospectionResults. Class
scope
jdk
JDK 9+
Spring
5.3.0 to 5.3.17
5.2.0 to 5.2.19
An older version
Try to reappear
Let’s first try to see if we can reproduce it and then talk about how to solve it:
- Look at the environment
- Building a Maven-based Web project with spring-MVC framework is nothing special about normal engineering. The main thing to note is that Maven is packaged as a WAR package. Do not start the deployment directly in IDEA.
Note the version of the protocol corresponding to Spring:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.310.</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.310.</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>5.310.</version>
</dependency>
Copy the code
Define a simple controller
@Controller
public class IndexController {
@RequestMapping("/test1")
@ResponseBody
public String index(User user) {
user = new User();
user.setAddress("123");
returnuser.getAddress(); }}Copy the code
- To access the corresponding path, add the following parameters.
Explain the meanings of the above parameters
class.module. This. Resources. The context. The parent. Pipeline. First, the pattern class = build file content.module. This. Resources. The context. The parent. Pipeline. The first. The suffix = modify tomcat log file suffix class.module. This. Resources. The context. The parent. Pipeline. The first. The directory = write files in the root directory of the class website.module. This. Resources. The context. The parent. Pipeline. First, the prefix = written to the file name of the class.module. This. Resources. The context. The parent. Pipeline. First. FileDateFormat = date format file (the actual structure of null values)Copy the code
- The result will be the JSP file you want to write to in the root directory.
This file is in the root directory and can be accessed directly from outside. You can then use this file to write various shell commands.
Self checking holes
- Check whether you are using the Spring framework (including but not limited to the following methods)
(1) Check whether the specified version of Spring framework is used in the project:
You can traverse the project file to see if it contains Spring-beans -*.jar
(2) Check whether Spring framework exists in WAR package:
Check whether the war package contains the spring-beans-*.jar file. If it does, it indicates that the Spring development framework is used. If there is no, then further confirm the existence of CachedIntrospectionResults. Class files, if there is using the Spring development framework or derivative framework.
- Check the JDK version used by projects containing the Spring framework. JDK version >=9 is at risk.
Bug fix
Spring officials suggest that this is best done by upgrading the Spring version, but there are other ways to focus fixes
- Upgrade spring to 5.3.18 and 5.2.20 or later
- Upgrade tomcat
- Lowering the JDK Version
- Disallow requests with specified parameters
Let’s talk about the last option: you need to add controller interception
@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*"."Class.*"."*.class.*"."*.Class.*"}; dataBinder.setDisallowedFields(denylist); }}Copy the code
However, it is recommended to upgrade the Spring version, as there may be unknown issues with the current version.
The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is not possible to do quickly. For that reason, we have provided some workarounds below.
Bug status quo
At present, spring has officially fixed the vulnerability, now pull the latest Spring JAR package through my above replay steps to test and find the result:
Welcome to follow “IT technology small stack” share job hunting, job, technical dry goods.