Contrast has added additional hardening to protect customers from Spring4Shell, the latest zero-day security issue that takes advantage of a vulnerability in a widely adopted application framework for Java. Contrast Protect now includes a new rule designed to further safeguard against the exploit discovered in Spring4Shell and similar past and future exploits. The new Protect rule, named Class Loader Manipulation, denies attackers access to application class loaders thus denying them an important vector for escalating attacks to remote code exploitation (RCE). The rule is available in Contrast Java agents version 3.12.0.25978 and later.
To help answer any questions you may have about the new Class Loader Manipulation rule, Contrast has put together a comprehensive Q&A below.
Q: What Is Class Loader Manipulation?
A: As seen in CVE-2022-22965 (Spring4Shell) and CVE-2014-0114 (Apache Struts ClassLoader manipulation), attackers manipulate an application’s classloader as a means to escalate their attacks to RCE. In the Spring4Shell exploit that started circulating the web on day-zero, attackers exploited the vulnerability to gain access to Tomcat’s class loader. Once the attacker can manipulate the class loader, they can change Tomcat’s behavior to create a web shell through which the attacker can execute commands remotely. In similar past exploits, attackers manipulate an application’s class loader such that the class loader loads malicious code from a URL the attacker controls. In either case, the attacker’s manipulation of the application’s class loader is a key step to escalating their attacks to RCE.
Q: How Does This Rule Better Protect Contrast Users?
A: Recall the following excerpt from our blog post, ‘New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared’:
For Contrast customers, Protect can detect and block the current public exploit circulating the web. However, exploit writers will find ways around it quickly. The exploit in circulation installs a backdoor that is simple to detect and block. We are working on more robust controls at the moment and will release them as soon as possible.
On day-zero of the Spring4Shell exploit, Contrast Protect’s command injection rule blocked commands from being passed through the HTTP request to the system to prevent RCE; however, Protect did not prevent attackers from installing the JSP web shell in the first place.
Of course, we aim to block these attacks even sooner such that the attacker is denied the opportunity to install a web shell or take other malicious actions. The new Class Loader Manipulation rule is the “more robust controls” that we have been working on. This rule prevents attackers from manipulating the application’s class loader in any way, much less installing a web shell or other malicious code. This rule completely guards users from any variation of Spring4Shell and from any future copycat zero-days that target other frameworks like Spring with the same vulnerability.
Q: How Does Protect Block Class Loader Manipulation?
A: Class Loader manipulation vulnerabilities are more likely to exist in Java web application frameworks that use mass assignment, object deserialization libraries, and expression language evaluators. These technologies share something in common: they map untrusted data from HTTP requests to the application’s Java types using Java’s reflection API.
The new Protect Class Loader Manipulation rule does not analyze user input before blocking attacks; instead, it uses Protect’s sandboxing technique to deny any attempt to use reflection to invoke common class loader accessor methods that attackers exploit.
This sandboxing technique is uniquely available to runtime application self-protection (RASP) agents like Contrast Protect. Endpoint protection tools cannot replicate this.
Q: What are the Risks?
A: Contrast Protect rules aim to strike the right balance between accuracy, performance, and protection. Like any Protect rule, in blocking mode, false positives can disrupt an application’s normal functions.
Before releasing the Class Loader Manipulation rule, Contrast tested for false positives on hundreds of test applications, and we found none. We believe the risk for false positives is low. Still, users can make sure the rule won’t disrupt their applications by first running the rule in monitoring mode. In monitoring mode, Contrast agents report attacks but do not block them. Any false positives from this rule will be evident from using applications with a normal workload while monitoring Contrast for false attacks. Monitor mode gives users a risk-free way to determine that this rule will not disrupt normal application functionality before configuring it to block attacks.
Q: When Is this available to Enterprise On-Premise Users?
A: This rule will be included in the next regularly scheduled release of Contrast’s Enterprise On-Premise (EOP) product; however, EOP users are able to use this rule in a limited fashion to block Spring4Shell exploits today.
EOP users who want the added protection the Class Loader manipulation rule provides will need to update their Java agent version 3.12.0.25978 or later and contact support@contrastsecurity.com for help configuring the agent to block Class Loader manipulation attacks. All Contrast Java agent versions are available in Maven Central.
See Contrast Security in action
Connect with us now to learn how Contrast can protect your Java applications against exploits like Log4j and Spring4Shell and how you can get started today.
Watch our live webinar recording “CISO Guidance on Spring4Shell” as the Contrast Labs team reviews the latest details of Spring4Shell and how to protect yourself now and to move forward.
Article by Contrast Security