WAF mitigations for Spring4Shell

This post was updated on 5th April 2022 to include toggled rules and new rules for CVE-2022-22965

A set of high profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs (Common Vulnerabilities and Exposures) have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

• CVE-2022-22947 - [official VMware post]

• CVE-2022-22950 - [official VMware post]

• CVE-2022-22963 - [official Spring project post]

• CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.

The Cloudflare WAF team is actively monitoring these CVEs and has already deployed a number of new managed mitigation rules. Customers should review the rules listed below to ensure they are enabled while also patching the underlying Java Spring components.

A new rule has been developed and deployed for this CVE with an emergency release on March 29, which started blocking the vulnerability since the emergency release on the 4th, April  2022:

Managed Rule Spring - CVE:CVE-2022-22947

• WAF rule ID: e777f95584ba429796856007fbe6c869

• Legacy rule ID: 100522

Currently, available PoCs are blocked by the following rule:

Managed Rule PHP - Code Injection

• WAF rule ID: 55b100786189495c93744db0e1efdffb

• Legacy rule ID: PHP100011

Currently, available PoCs are blocked by the following rule:

Managed Rule Plone - Dangerous File Extension

• WAF rule ID: aa3411d5505b4895b547d68950a28587

• Legacy WAF ID: PLONE0001

We also deployed a new rule via an emergency release on March 31 (today at time of writing) to cover additional variations attempting to exploit this vulnerability, which started blocking since the emergency release on the 4th, April, 2022

Managed Rule Spring - Code Injection

• WAF rule ID: d58ebf5351d843d3a39a4480f2cc4e84

• Legacy WAF ID: 100524

Additionally, customers can receive protection against this CVE by deploying the Cloudflare OWASP Core Ruleset with default or better settings on our new WAF. Customers using our legacy WAF will have to configure a high OWASP sensitivity level.