Spring4Shell Protection, Traceable AI Setup Guide
On March 29, 2022 the world became aware of a new zero-day vulnerability in the Spring Core Java framework, dubbed ‘Spring4Shell’, which allows unauthenticated remote code execution on vulnerable applications using ClassLoader access. Since then, a CVE has been created to this vulnerability (CVE-2022-22965).
For further details, you can read our previous article analyzing the Spring4Shell vulnerability.
Traceable AI provides quick and complete protection for your applications from being exploited by Spring4Shell. In most environments, Traceable AI can provide comprehensive coverage for securing cloud native applications, both at the edge and from within the application.
Here is how to use Traceable AI to provide protection for your applications in 4 simple steps.
|1. Sign up free for Traceable AI||For new Traceable AI users (existing users skip)|
|2. Install Traceable AI Platform Agent||Required|
|Then you must complete either steps 3 and/or 4 of the following|
|3. Install the tracing agent in your Java application
AND / OR
|Provides most comprehensive protection from known and unknown threats.|
|4. Install the tracing agent on your gateway(s)||Provides signature based protection from known threats. Helps mitigate DoS attacks.|
Note: For existing Traceable AI users, you can skip steps 1 and 2 and focus on steps 3 and 4
Meet with a security expert
Our crack security research team is happy to meet with you to talk about Spring4Shell, or other application security challenges.
Complete protection against Spring4Shell using Traceable AI
Step 2: Install the Platform agent
The Platform Agent is an extension of the Traceable AI platform that runs local to your application environment. It is a required component which receives the data from the Tracing Agents, applies redaction, and then relays the data to the Traceable AI platform.
- After logging in, you’ll be shown the “Welcome to Traceable AI” screen. Click “Install Now”.
- After logging in, you’ll be shown the “Getting started with Traceable AI” screen. Click “Next”.
- You’ll be asked to install a Traceable AI Platform Agent.
- Select where and how you’d like to install it and follow the provided instructions.
- Once the upper right says you are “Successfully deployed”, click the “Next” button
Step 3: Install the Tracing Agent in your Java Application
Install the Java agent to comprehensively protect the app from Spring4Shell exploits.
No configurations or blocking rules required with this option.
1. You should find yourself on the “Install Tracing Agents” screen which will show you installation options.
2. On the “In-App Instrumentation” panel in the upper left, click on the Java icon to get instructions on installing the Java Tracing Agent.
3. Select your installation target (Java should already be selected as the language).
4. There are 2 modes in which the in-app java agent can work:
- Auto healing
For Spring4Shell it is highly recommended that you use Blocking.
- To use Blocking
- For Kubernetes deployment use the following command:
kubectl -n <NAMESPACE> set env deployment/<JAVA_DEPLOYMENT> TA_BLOCKING_SPRING_4_SHELL=true
- OR, for standalone deployment
- Set either the ta.blocking.spring.shell system property or TA_BLOCKING_SPRING_4_SHELL environment variable to true
- OR, for standalone deployment
- OR, to use Auto Healing
Note: Auto healing can be used in cases where you want to prevent the malicious parameters from causing exploits but the app to still function. Not recommended for critical RCE’s like Spring4shell.
- Set blocking config to false (default)
- Set either the ta.healing.spring.shell system property or TA_HEALING_SPRING_4_SHELL environment variable to true
SpringThat’s it! You are protected from Spring4Shell vulnerabilities!
Keep reading and follow Step 4 to block Spring4Shell at your gateway(s)
Step 4: Install the Tracing Agent on your Gateway(s) (Optional)
To block the Spring4Shell related exploits with signature-based protection for known threats, you can install a Traceable AI Tracing Agent on your gateways. This can be installed on API gateways, load balancers, or proxies by doing the following steps.
You should find yourself back on the “Install Tracing Agents” screen which will show you installation options.
1. Install the Tracing Agent(s)
There are multiple Tracing Agent installation options. You can install on any number of gateways. Follow the appropriate instructions below.
If installing a Tracing Agent in NGINX
- Click on the NGINX icon in the “Webservers” tile to get detailed instructions.
- On the “Installing Traceable Agents – NGINX” screen, follow the instructions for your OS to install the agent into NGINX.
- Once the upper right says you are “Successfully deployed” click the “Back to Tracing Agents” link in the upper left part of the screen.
If installing a Tracing Agent in the Kong API Gateway
Follow the detailed instructions in the installation documentation.
If installing a Tracing Agent on another supported gateway
Visit the appropriate installation documentation.
2. Confirm Configurations
Next, make sure that everything is enabled properly for detection and blocking from your gateways.
a. We need to leave the guided setup and go to the administration screen. To do this, click on “Cancel” in the upper left.
b. From the user menu in the upper right corner, select “Administration”
c. On the Administration screen, select “Policies” on the left menu (under the “Protection” section) (1), then make sure that Detection is “Enabled” (2).
d. On the same “Policies” screen (1) , scroll down until you see the “Known Vulnerabilities” section. Make sure that “Java Application Attacks” is enabled (2). Then click on the “Blocking Settings” link to the right of it (3), and make sure that both the “Java Spring4Shell” rule is also enabled (4).
e. Congratulations! You are now set up for signature based detection and blocking of known attacks at your edge. You can close this admin window using the “Close” control at the upper left corner of the window.
Validate Your Protection
B) You will be able to see the details of all attackers attempting to exploit this vulnerability under the Attackers and Events page.
C) You can click through the details above to see the details of the security event and all details about the attacker including user/IP information, location, User agent etc
Attacks blocked at the edge using the above Policy approach will show up under Events -> Blocked with Sub Category – Java Spring Core: RCE (CVE-2022-22965) (T920).
Attacks blocked within the application will indicate Java Spring4Shell in the event’s description. These have been blocked automatically for you with our unique tracing approach, no configs, no blocking rules required !!
D) Go through the Analysis/Traces to see details of the individual requests and responses where Spring4Shell exploits were detected and blocked.
You are now protected against the Spring4Shell vulnerability at both the edge and within your application. We will continue to update our protection mechanisms to keep your applications and API’s protected !!