This post was updated on 5th April 2022 to include toggled rules and new rules for CVE-2022-22965
A set of high profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.
Four CVEs (Common Vulnerabilities and Exposures) have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:
Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.
The Cloudflare WAF team is actively monitoring these CVEs and has already deployed a number of new managed mitigation rules. Customers should review the rules listed below to ensure they are enabled while also patching the underlying Java Spring components.
CVE-2022-22947
A new rule has been developed and deployed for this CVE with an emergency release on March 29, which started blocking the vulnerability since the emergency release on the 4th, April 2022:
Managed Rule Spring - CVE:CVE-2022-22947
WAF rule ID:
e777f95584ba429796856007fbe6c869
Legacy rule ID:
100522
CVE-2022-22950 and CVE-2022-22963
Currently, available PoCs are blocked by the following rule:
Managed Rule PHP - Code Injection
WAF rule ID:
55b100786189495c93744db0e1efdffb
Legacy rule ID:
PHP100011
CVE-2022-22963 and CVE-2022-22965
Currently, available PoCs are blocked by the following rule:
Managed Rule Plone - Dangerous File Extension
WAF rule ID:
aa3411d5505b4895b547d68950a28587
Legacy WAF ID:
PLONE0001
We also deployed a new rule via an emergency release on March 31 (today at time of writing) to cover additional variations attempting to exploit this vulnerability, which started blocking since the emergency release on the 4th, April, 2022
Managed Rule Spring - Code Injection
WAF rule ID:
d58ebf5351d843d3a39a4480f2cc4e84
Legacy WAF ID:
100524
Additionally, customers can receive protection against this CVE by deploying the Cloudflare OWASP Core Ruleset with default or better settings on our new WAF. Customers using our legacy WAF will have to configure a high OWASP sensitivity level.