Understanding Spring4Shell RCE from an engineers perspective

What happened?

On March 29, 2022, A very old RCE (remote code execution) loophole tracked as CVE-2010-1622 was exposed in a series of Tweets. It affects most java projects using JDK 9+. This loophole enables attackers to exploit the server by executing a command on a server carried in a HTTP request.

Who should worry about this vulnerability?

If your project meets all conditions below, then you should take a serious look into this:

• JDK 9+
• Imported spring-webmvc dependency
• Deployed as WAR but not JAR
• Apache Tomcat as the Servlet container (the only container confirmed exploit currently)

How did this happen?

Before explaining more details, lets first start with a simple API defined in SpringMVC controller.

@Controllerpublic class DemoController {    @PostMapping("/animals")    @ResponseBody    public Map<String, Object> importAnimalIntoZoo(Animal animal) {        HashMap<String, Object> response = new HashMap<>();        response.put("data", animal);        return response;    }}

read more...