SpringShell: Spring Core RCE 0-day Vulnerability (Another log4j2 level or even worst vulnerability if it is confirmed)

The following two conditions are met at The same time to determine that it is affected by this vulnerability:

 

1. JDK version number is 9 and above;
2. using the spring framework or derived framework.

 

Alicloud already release TWO WAF rules to against this vulnerability:

 

 

If you are using Imperva WAF, you can create a custom Signatures to detect and trigger alerts:

 

Signature Name: springshell-rce-0-day-vulnerability – 1

Signature: part="class."

Protocols: http + https

Search Signature In: Headers + Parameters

 

https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

https://vuldb.com/?id.196076

 

SpringShell: Spring Core RCE 0-day Vulnerability (Another log4j2 level or even worst vulnerability if it is confirmed)

Sophos Firewall: Verify if the hotfix for CVE-2022-1040 is applied on your Sophos XG firewall

Given the "Allow automatic installation of hotfixes" feature enabled (it is enabled by default). First come first is check this setting is it enabled.

 

 

Then, you need to verify the hotfix is it install by access the advanced shell by using SSH client remotely login your firewall or via console access

 

1. Select "5" – Device Management

 

2. Select "3" – Advanced Shell

3. Enter the following command:

 

test -f /static/up_mode_json_stamp && echo "Hotfix is applied" || echo "Hotfix isn't applied"

 

 

If the hotfix is applied, the return is "Hotfix is applied"

 

Enter "Exit" to exit the shell mode.

 

Reference:

Accessing Command Line Console - Sophos Firewall

Sophos Firewall: Verify if the hotfix for CVE-2022-1040 is applied

 

Sophos Firewall: Verify if the hotfix for CVE-2022-1040 is applied on your Sophos XG firewall

Microsoft Defender - enable Microsoft Active Protection Service (MAPS) on Windows 11 Pro

1. Go to Local Group Policy Editor (GPedit.msc)
2. Computer Configuration -> Administrative template -> Windows  Components -> Microsoft Windows Defender Antivirus  -> MAPS
3. Join Micrsoft MAPS - Enable - Advanced MAPS

4. Enable the following policy:

 

 

5. Reboot your machine.

 

6. Check the running configuration of the MAPS:

Open Powershell

Run the command: get-mppreference

PS C:\WINDOWS\system32> get-mppreference

 

The MAPSReporting - "2"

 

Reference:

加固 Windows Defender ，开启微软云保护，利用「微软高级保护服务」（MAPS）来实时预防未知病毒 - 小众软件

https://www.appinn.com/windows-defender-enable-microsoft-maps/

 

"著名黑客 h0ek 教路，只需在 Windows Defender 加上一點就可以得到企業級的保護 - Qooah" https://qooah.com/2022/03/14/famous-hacker-h0ek-teaches-the-way-to-get-enterprise-grade-protection-with-just-a-little-bit-of-windows-defender/ 

 

Microsoft Defender - enable Microsoft Active Protection Service (MAPS) on Windows 11 Pro