Spring4shell on Aws

Spring4shell (CVE-2022-22965) exploits a deserialization vulnerability in Spring Framework's parameter binding mechanism. In Aws environments, this vulnerability manifests through Spring Boot applications running on Elastic Beanstalk, ECS containers, or EC2 instances. The attack vector specifically targets the org.springframework.web.context.request.RequestContextListener class when processing multipart requests with malicious content-type headers.

Aws-specific manifestations include:

• Spring Boot applications deployed on Elastic Beanstalk using Tomcat 9.0.43+ without proper security patches
• ECS containers running Spring applications with exposed actuator endpoints on public subnets
• Lambda functions with Spring dependencies that process untrusted HTTP requests
• API Gateway integrations with Spring Boot backends that don't validate Content-Type headers

The vulnerability allows remote code execution when an attacker sends a crafted request with a Content-Type header containing a JNDI lookup pattern. In Aws environments, successful exploitation can lead to EC2 instance compromise, credential theft from instance metadata, or unauthorized access to other Aws services through compromised application permissions.

Real-world attack patterns in Aws include:

POST /api/upload HTTP/1.1
Host: example.elasticbeanstalk.com
Content-Type: application/x-java-serialized-object;class=org.springframework.web.context.request.RequestContextListener
Content-Length: 1234

<malicious payload>

This attack bypasses typical WAF protections because it exploits application-level deserialization rather than network-level vulnerabilities. Aws Security Hub and GuardDuty may not detect these attacks since they operate at the network layer, making application-layer scanning critical.

Detecting Spring4shell in Aws environments requires a multi-layered approach combining infrastructure monitoring with application-layer scanning. Aws-native tools like Security Hub provide baseline security posture assessments, but they lack the deep application inspection needed to identify deserialization vulnerabilities.

middleBrick's Aws-specific detection capabilities include:

• Runtime scanning of Spring Boot actuator endpoints exposed through Elastic Load Balancing
• Content-Type header analysis for JNDI lookup patterns
• Multipart request handling validation
• Spring Framework version fingerprinting to identify vulnerable versions
• Deserialization gadget chain detection through heuristic analysis

The scanning process targets the unauthenticated attack surface of your Spring applications without requiring credentials or access to source code. middleBrick tests the actual runtime behavior by sending crafted requests that mimic real attack patterns.

Sample middleBrick scan command for Aws Spring applications:

npx middlebrick scan https://api.example.elasticbeanstalk.com --output json

The scanner analyzes:

middleBrick's black-box approach is particularly effective in Aws environments because it tests the actual deployed application without requiring access to the underlying infrastructure or source code.

Remediating Spring4shell in Aws environments requires both application-level fixes and infrastructure-level protections. The primary fix involves upgrading Spring Framework to patched versions, but Aws-specific configurations provide additional security layers.

Application-level remediation for Spring Boot applications:

// pom.xml dependencies
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
  <version>2.7.8</version>
</dependency>

For Aws-specific configurations, implement Content-Type header validation at the Elastic Load Balancer level:

# AWS CLI command to create a WAF rule
aws wafv2 create-web-acl --name Spring4shellProtection 
  --scope REGIONAL --region us-east-1 --default-action {"Allow":{}} 
  --visibility-config '{