Author: Eliran Azulai, Principal Program Manager, Azure Networking
Co-author: Gunjan Jain, Principal PM Manager, Azure Networking
If you were wondering how to protect your resources from the latest Spring Framework exploits, this blog will guide you step-by-step on how to detect and protect against SpringShell vulnerabilities using our native network security services, Azure Firewall Premium and Azure Web Application. You can utilize one of these services or all of them for a Multi-layered security approach.
For more in-depth information on the SpringShell vulnerability and guidance for protection and detection, please check out the blog published by the Microsoft Threat Intelligence Team.
Prerequisites for each service
- Rule group: MS-ThreatIntel-WebShells, Rule Id: 99005006 – Spring4Shell Interaction Attempt
- Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001014 – Attempted Spring Cloud routing-expression injection (CVE-2022-22963)
- Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001015 – Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)
- Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001016 – Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)
3. No need to enable SpringShell WAF rules on Azure Application Gateway WAF V2 as they are enabled by default:
- Rule Id: 800110 – Spring4Shell Interaction Attempt
- Rule Id: 800111 – Attempted Spring Cloud routing-expression injection – CVE-2022-22963
- Rule Id: 800112 – Attempted Spring Framework unsafe class object exploitation – CVE-2022-22965
- Rule Id: 800113 – Attempted Spring Cloud Gateway Actuator injection – CVE-2022-22947
Testing the exploit in Azure Firewall Premium lab
To provide customers with a safe environment to simulate the exploits, we developed a lab setup built with an application that is vulnerable to the Spring4Shell exploit (CVE-2022-22965). You can follow the instructions provided in this GitHub repository to build your own setup.
Testing the exploit with Azure WAF on Azure Front Door
https://www.<mydomain>.com/test.jsp?pwd=test\&cmd=cat+/secret/file
Testing the exploit with Azure WAF on Azure Application Gateway
https://www.<mydomain>.com/test.jsp?pwd=test\&cmd=cat+/secret/file
Learn More
Azure Firewall Premium and Azure WAF provide advanced threat protection capabilities to help detect and protect against SpringShell and other exploits. For more information on everything we covered above, please see the following documentation:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.