Spring Framework detection scan (Linux)
Log In or Register to download the BES file, and more.

2 Votes

Description

This is Community Content. When you use these solutions, it is incumbent on your organization to test any solutions provided across the broadest available system base including various OS, storage solutions, and application inventory.

Please see the Community Solution Testing Statement

This Task performs a filesystem scan on Windows systems to attempt detecting Spring Framework versions that may be vulnerable to one of the following vulnerabilties reported in March 2022:

 

https://tanzu.vmware.com/security/cve-2022-22965

https://tanzu.vmware.com/security/cve-2022-22963

https://tanzu.vmware.com/security/cve-2022-22950

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

 

This Task performs a filesystem search across all fixed disks on Windows platforms, to locate Spring Framework JAR files, either directly on the filesystem or embedded in a .WAR archive file.  In the case any .WAR file is found on the system, the 'unzip.exe' utility is used to perform a listing of files inside the archive to locate Spring-related .JAR files.  Specifically, this Task searches for any versions of spring-beans-*.jar, spring-core-*.jar, spring-webmvc-*.jar, or spring-webflux-*.jar.  Information on the Spring vulnerabilities is still evolving, but each of these has been cited as potential problem vectors.

Scan results are stored in a "Scans" subdirectory beneath the "BES Client" folder. 'Spring-scan-output.txt' contains the full script output for potential debugging or diagnosis, and 'Spring-scan.txt' contains a listing of detected files in one of the forms


/opt/spring/extract/spring-framework-5.2.17.RELEASE/libs/spring-beans-5.2.17.RELEASE.jar

/opt/spring/spring-5.2.17.RELEASE-dist.war::spring-framework-5.2.17.RELEASE/libs/spring-webmvc-5.2.17.RELEASE.jar

The first sample entry indicates a detected Spring .jar file directly in the filesystem, while the second entry indicates a Spring .jar file embedded within a .WAR archive.

This Task has several known limitations:

  • Archives are not extracted recursively - only .JAR files contained directly within a .WAR archive are found; archives embedded within multiple layers of .WAR archives are not detected.
  • There is no option to throttle the scan in terms of processor or disk i/o usage.  Scans should be executed during non-critical hours, and staggered over time especially where multiple systems share a storage resource, such as a SAN or virtual machine storage pool.

This detection method uses Linux Bash script with external dependencies on 'df', 'find', 'sed', and 'unzip'.  Results of the scan may be retrieved using the related Analysis.


Property Details

ID26921
StatusAlpha - Code that was just developed
TitleSpring Framework detection scan (Linux)
DomainBESC
SourceInternal
Source Release Date3/31/2022 12:00:00 AM
KeywordsSpring, vulnerability, scan, cve-2022-22950, cve-2022-22963, cve-2022-22965
Is TaskTrue
Added by on 4/1/2022 1:05:58 PM
Last Modified by on 4/1/2022 1:05:58 PM
Counters 587 Views / 37 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Relevance

Used in 4 fixlets   * Results in a true/false
Show indented relevance
name of operating system as lowercase contains "linux"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
(if exists property "in proxy agent context" then not in proxy agent context else true)

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
parameter "ScansFolder" = "{(if (version of client >= "9" as version) then (pathname of parent folder of data folder of client) else (pathname of parent folder of parent folder of client folder of site "actionsite"))}/Scans"
folder create "{parameter "ScansFolder"}"
parameter "output"="{pathname of folder (parameter "ScansFolder")}/Spring-scan.txt"
parameter "exec_output"="{pathname of folder (parameter "ScansFolder")}/Spring-scan-output.txt"
delete "{parameter "output"}"
delete "{parameter "exec_output"}"

delete __createfile
createfile until EOF_EOF_EOF_EOF
#!/bin/sh

OUTPUT_FILE={parameter "output"}

function handle_file() {{
echo Handling $1
if [[ $1 == *\.war || $1 == *\.WAR || $1 == *\.zip || $1 == *\.ZIP || $1 == *\.ear || $1 == *\.EAR ]]
then
echo "${{1} is an archive, searing content via unzip";
for embeddedfile in `unzip -Z -1 "$1" *spring-beans-*.jar *spring-core-*.jar *spring-webmvc*.jar *spring-webflux-*.jar -x *-sources.jar *-javadoc.jar`
do
echo ${{1}::${{embeddedfile}>>${{OUTPUT_FILE}
done
else
echo ${{1}>>${{OUTPUT_FILE}
fi

}

for j in `df -l --output=target -x tmpfs -x devtmpfs | sed 1d`

do echo "searching $j"
for targetfile in `find $j -xdev \( -name "*spring-beans-*.jar" -o -name "*spring-core-*.jar" -o -name "*spring-webmvc*.jar" -o -name "*spring-webflux-*.jar" -o -name "*.war" \) -a ! \( -name "*-sources.jar" -o -name "*-javadoc.jar" \)`
do handle_file "$targetfile"
done

done



EOF_EOF_EOF_EOF

delete run_scan.sh
copy __createfile run_scan.sh
wait chmod +x run_scan.sh
wait /bin/sh -c "./run_scan.sh > '{parameter "exec_output"}' 2>&1"
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!