On 30 March 2022, details were leaked of a Spring Framework RCE that impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The team at Spring released a blog post that documented the vulnerability. The exploit is commonly referenced as Spring4Shell.
Spring listed several conditions necessary to execute the exploit:
- JDK 9 or higher
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
- Tomcat must run on the application as a WAR deployment
- Deployed as a standalone Tomcat instance
- spring-webmvc or spring-webflux dependency
The conditions listed are only documented known vectors of exploitation and are not limited to that list.
WatchGuard is currently reviewing all its products and services and so far, has determined that several of the services meet one but not all of the Spring Framework vulnerability requirements. We have yet to confirm exploitation against our products because they do not meet the necessary conditions.
The exploit requires an application to run on Tomcat Servlet Container as a WAR deployment. No services in AuthPoint are deployed in this way. Attempts by WatchGuard to exploit the vulnerability have not succeeded, but we plan to upgrade all AuthPoint services that use Spring Framework out of an abundance of caution.
In TDR v126.96.36.19993, we upgraded the Spring .jar version used by TDR and AD Helper out of an abundance of caution. Exploitation is not considered possible, even with the previous TDR and AD Helper versions.
WatchGuard System Manager
WatchGuard System Manager uses Java but does not use the Spring Framework.
The Firebox Intrusion Prevention Service (IPS) has signatures that detect and block these attacks:
- 1230875 WEB Spring Cloud SpEL RCE (CVE-2022-22963)
- 1230879 WEB Spring Core RCE -1
- 1230887 WEB Spring Core RCE -2
- 1230880 WEB VMware Spring Expression DoS Vulnerability (CVE-2022-22950)
- 1230888 WEB Spring Core RCE -3
Update the IPS signatures on your Firebox to signature set v4.1270 and TDTS v18.205.