www.extrahop.com
Open in
urlscan Pro
52.40.8.74
Public Scan
Submitted URL: http://app.wiredata.extrahop.com/e/er?utm_campaign=2022-q2-april-newsletter-general-dynamic-nam-emea-a&utm_medium=email&utm_sourc...
Effective URL: https://www.extrahop.com/company/blog/2022/detect-and-stop-spring4shell-exploitation/?utm_campaign=2022-q2-april-newslett...
Submission: On April 14 via api from SE — Scanned from DE
Effective URL: https://www.extrahop.com/company/blog/2022/detect-and-stop-spring4shell-exploitation/?utm_campaign=2022-q2-april-newslett...
Submission: On April 14 via api from SE — Scanned from DE
Form analysis 2 forms found in the DOM
Name: untitledForm-1367515949663 — POST https://s1701.t.eloqua.com/e/f2
<form method="POST" id="form107" name="untitledForm-1367515949663" role="form" action="https://s1701.t.eloqua.com/e/f2" class="reset-disabled" data-parsley-validate="" data-parsley-trigger="focusout" data-onload="extrahop.undisableForm"
novalidate="">
<input type="hidden" name="elqFormName" value="untitledForm-1367515949663">
<input type="hidden" name="elqSiteId" value="1701">
<input type="hidden" name="elqCampaignId">
<input type="hidden" name="campaignId" value="70180000001EqjnAAC">
<input type="hidden" name="elqCustomerGUID">
<input type="hidden" name="elqCookieWrite" value="0">
<input type="hidden" name="GA_Medium" value="">
<input type="hidden" name="GA_Source" value="">
<input type="hidden" name="GA_Campaign" value="">
<input type="hidden" name="GA_Content" value="">
<input type="hidden" name="GA_Term" value="">
<input type="hidden" name="GA_Product" value="">
<input type="hidden" name="GA_Region" value="">
<input type="hidden" name="GA_Funnelstage" value="">
<input type="hidden" name="GA_Version" value="">
<input type="hidden" name="gclid" value="">
<input type="hidden" name="FormURL" value="">
<input type="hidden" name="uniqueid" value="">
<input type="hidden" name="GA_Adgroup" value="">
<input type="hidden" name="redirectUrl" value="https://www.extrahop.com/company/newsletter-signup-success/" data-sync-host="www">
<div class="inline-input">
<div class="form-group email">
<input id="email" class="form-control garlic-auto-save" name="email" type="email" required="" placeholder="Email Address">
</div>
<div class="form-group">
<input type="submit" class="btn btn-basic btn-green" value="Subscribe" data-track-newsletter-subscribe="">
</div>
</div>
</form><form>
<input class="st-default-search-input st-search-set-focus garlic-auto-save" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>Text Content
* The Platform
EXTRAHOP
REVEAL(X) 360
CLOUD-NATIVE VISIBILITY, DETECTION, AND RESPONSE
FOR THE HYBRID ENTERPRISE.
Learn More
Explore Reveal(x)
How It Works
Competitive Comparison
Why Decryption Matters
Integrations and Automations
Cybersecurity Services
Complimentary Shields Up Assessment
What is Network Detection & Response (NDR)?
Cloud-Native Security Solutions
Reveal(x) Enterprise: Self-Managed NDR
* Solutions
--------------------------------------------------------------------------------
SOLUTIONS
With the power of machine learning, gain the insight you need to solve
pressing challenges.
FOR SECURITY
Stand up to threats with real-time detection and fast response.
Learn More >
FOR CLOUD
Gain complete visibility for cloud, multi-cloud, or hybrid environments.
Learn More >
FOR IT OPS
Share information, boost collaboration without sacrificing security.
Learn More >
BY INITIATIVE
* Complimentary Shields Up Assessment
* Advanced Threats
* Ransomware Mitigation
* Multicloud & Hybrid Cloud Security
* Implement Zero Trust
* Security Operations Transformation
BY VERTICAL
* Financial Services
* Healthcare
* e-Commerce and Retail
* U.S. Public Sector
Complimentary
SHIELDS UP ASSESSMENT
Align with and implement CISA's cybersecurity guidance
Start Now
Get Additional Shields Up Guidance >
* Customers
--------------------------------------------------------------------------------
CUSTOMERS
Our customers stop cybercriminals in their tracks while streamlining
workflows. Learn how or get support.
COMMUNITY
* Customer Portal Login
* Solution Bundles Gallery
* Community Forums
* Customer Stories
SERVICES
* Services Overview
* Reveal(x) Advisor
* Deployment
TRAINING
* Training Overview
* Training Sessions
SUPPORT
* Support Overview
* Documentation
* Hardware Policies
Featured Customer Story
WIZARDS OF THE COAST
Wizards of the Coast Delivers Frictionless Security for Agile Game
Development with ExtraHop
Read More
See All Customer Stories >
* Partners
--------------------------------------------------------------------------------
PARTNERS
Our partners help extend the upper hand to more teams, across more platforms.
CHANNEL PARTNERS
* Channel Overview
* Managed Services Providers
* Overwatch Managed NDR
INTEGRATION PARTNERS
* CrowdStrike
* Amazon Web Services
* Google Cloud Security
* All Technology Partners
PANORAMA PROGRAM
* Partner Program Information
* Partner Portal Login
* Become a Partner
Featured Integration Partner
CROWDSTRIKE
Detect network attacks. Correlate threat intelligence and forensics.
Auto-contain impacted endpoints. Inventory unmanaged devices and IoT.
Read More
See All Integration Partners >
* Blog
* More
* About Us
* News & Events
* Careers
* Resources
* About Us
* The ExtraHop Advantage
* What Is Cloud-Native?
* Leadership
* Board of Directors
* Contact Us
* Explore the Interactive Online Demo
* Sign Up for a Live Attack Simulation
* Upcoming Webinars and Events
* Newsroom
* ExtraHop Media Kit and Brand Guidelines
HUNTER CHALLENGE
Get hands-on with ExtraHop's cloud-native NDR platform in a capture the flag
style event.
Read More
* Careers at ExtraHop
* Search Openings
* Connect on LinkedIn
* All Resources
* Customer Stories
* Complimentary Shields Up Assessment
* Ransomware Attacks in 2021: A Retrospective
* White Papers
* Datasheets
* Industry Reports
* Webinars
* Cyberattack Glossary
* Network Protocols Glossary
* Documentation
* Firmware
* Training Videos
Login
Logout
Start Demo
THE PLATFORM
SOLUTIONS
CUSTOMERS
PARTNERS
BLOG
MORE
START THE DEMO
CONTACT US
Back
EXTRAHOP
REVEAL(X) 360
Cloud-native visibility, detection, and response
for the hybrid enterprise.
Learn More
HOW IT WORKS
COMPETITIVE COMPARISON
WHY DECRYPTION MATTERS
INTEGRATIONS AND AUTOMATIONS
CYBERSECURITY SERVICES
COMPLIMENTARY SHIELDS UP ASSESSMENT
WHAT IS NETWORK DETECTION & RESPONSE (NDR)?
CLOUD-NATIVE SECURITY SOLUTIONS
REVEAL(X) ENTERPRISE: SELF-MANAGED NDR
Back
SOLUTIONS
Learn More
SECURITY
CLOUD
IT OPS
USE CASES
EXPLORE BY INDUSTRY VERTICAL
Back
CUSTOMERS
Customer resources, training,
case studies, and more.
Learn More
CUSTOMER PORTAL LOGIN
CYBERSECURITY SERVICES
TRAINING
EXTRAHOP SUPPORT
Back
PARTNERS
Partner resources and information about our channel and technology partners.
Learn More
CHANNEL PARTNERS
INTEGRATIONS AND AUTOMATIONS
PARTNERS
Back
BLOG
Learn More
Back
ABOUT US
NEWS & EVENTS
CAREERS
RESOURCES
Back
ABOUT US
See what sets ExtraHop apart, from our innovative approach to our corporate
culture.
Learn More
THE EXTRAHOP ADVANTAGE
WHAT IS CLOUD-NATIVE?
CONTACT US
Back
NEWS & EVENTS
Get the latest news and information.
Learn More
SIGN UP FOR A LIVE ATTACK SIMULATION
UPCOMING WEBINARS AND EVENTS
Back
CAREERS
We believe in what we're doing. Are you ready to join us?
Learn More
CAREERS AT EXTRAHOP
SEARCH OPENINGS
CONNECT ON LINKEDIN
Back
RESOURCES
Find white papers, reports, datasheets, and more by exploring our full resource
archive.
All Resources
CUSTOMER STORIES
COMPLIMENTARY SHIELDS UP ASSESSMENT
RANSOMWARE ATTACKS IN 2021: A RETROSPECTIVE
CYBERATTACK GLOSSARY
NETWORK PROTOCOLS GLOSSARY
DOCUMENTATION
FIRMWARE
TRAINING VIDEOS
BLOG
DETECT AND STOP SPRING4SHELL EXPLOITATION
* Published by Jeff Costlow on March 31, 2022
A critical zero-day vulnerability known as Spring4Shell (CVE-2022-22965) has
been discovered in Java Spring Core, a widely used open-source development kit
present in numerous Java applications including the Apache Tomcat framework. The
vulnerability allows for remote code execution that can enable an attacker to
gain full network access. Scanning activity for Spring4Shell has been observed
and exploitation—if not already underway—is imminent.
The vulnerability is currently thought to affect Java development kit versions
9.0 and above, affecting Spring Framework versions 5.3.17, 5.2.0, and 5.2.19.
While the details of the vulnerability were leaked online prior to its
disclosure, a patch for this zero-day has been released and suggested
workarounds have been posted for those that are unable to update to the latest
version.
ASSESSING SPRING4SHELL RISK
Like the Java-based utility Log4j, in which the critical Log4Shell vulnerability
exists, Java Spring Core is a ubiquitous part of the software supply chain. In
addition to the Apache Tomcat framework—an extremely common open-source web
server container which ExtraHop research indicates is present in more than 75%
of environments—it's not currently known exactly how many Java-based
applications are affected, making the vulnerability especially concerning.
Most businesses have hundreds of vendor-provided software applications in their
environments that may or may not be running Spring Core, often with no access to
the source code, making it difficult to determine risk. It may not be the case
that millions of applications are vulnerable, but just one common application
built with Spring Core (such as Apache Tomcat) translates into a huge
opportunity for attackers.
MITIGATING SPRING4SHELL
Details of the exploit were leaked online on March 29, before Spring could
create a formal disclosure or release a patch. This increases the risk of
opportunistic attackers having already gained access to vulnerable environments.
Because the Spring framework is deeply engrained in the software supply chain,
patches to vulnerable applications may lag, making post-compromise detection
critical to stopping attacks.
It's also important to note that Spring4Shell can be accessed over HTTPS, giving
attackers the ability to hide activity behind encryption, similar to the
Log4Shell vulnerability. The use of encrypted protocols by attackers has become
increasingly common while, for many organizations, the ability to detect signs
of malicious activity in encrypted traffic has not. Even after patches are
applied, it is extremely important for organizations to carefully monitor all
network traffic—including encrypted protocols—for signs of compromise.
How does the Spring4Shell vulnerability work? Get a technical explainer.
FOR EXTRAHOP CUSTOMERS
For Reveal(x) customers, a detector and a Threat Briefing for Spring4Shell are
already available to help teams identify risk and detect any exploit attempts
associated with this zero-day. While Reveal(x) by default detects east-west
traffic associated with this exploit, custom records are being generated to
allow users to identify all exploit attempts against their environments,
including scans. In addition, Reveal(x) 8.8 allows users to view any north-south
scan attempts via the Spring4Shell Threat Briefing.
While many organizations are running third-party and commercial applications
that contain Spring Core, it is difficult to determine which applications are
vulnerable without access to the source code. Because of this, all organizations
are advised to pay close attention to Reveal(x) threat detections that involve
production web servers and any third-party and commercial applications.
Application teams that use Spring Core and Apache Tomcat should immediately
update to the latest version of Spring.
ExtraHop is continually monitoring the situation and will provide updates as
more details are known about how the Spring4Shell exploit is being used and what
applications may be affected. The ExtraHop Threat Research team has also
conducted a deep technical analysis of the vulnerability, which you can read
here. Additionally, our security team can confirm that ExtraHop products are not
vulnerable to the Spring4Shell vulnerability (CVE-2022-22965).
* Posted in Security Alerts, Cybersecurity, NDR, Decryption
* See other posts by Jeff Costlow
HUNT THREATS WITH REVEAL(X)
Investigate a live attack in the full product demo of ExtraHop Reveal(x),
network detecion and response for the hybrid enterprise.
Start Demo
RELATED BLOGS
12.10.21
DEFEND AGAINST LOG4J EXPLOITS
Understand Log4j exploitation and what you can do about this zero-day
vulnerability.
Jeff Costlow
3.31.22
A TECHNICAL ANALYSIS OF HOW SPRING4SHELL WORKS
Get a technical analysis of how the Spring4Shell vulnerability works and how it
might be exploited by attackers.
Edward Wu
12.17.21
DETECT LOG4J ATTACKS HIDING IN ENCRYPTED TRAFFIC
Learn how attackers are using encrypted protocols to hide Log4j attacks and why
decryption has become a necessary capability for detection.
Jeff Costlow
SIGN UP TO STAY INFORMED
Javascript is required to submit this form
+
ExtraHop uses cookies to improve your online experience. By using this website,
you consent to the use of cookies. Learn More
Global Headquarters
520 Pike St
Suite 1600
Seattle, WA 98101
United States
EMEA Headquarters
WeWork 8
Devonshire Square
London EC2M 4PL
United Kingdom
APAC Headquarters
3 Temasek Avenue
Centennial Tower
Level 18
Singapore 039190
PLATFORM
* Reveal(x) 360
* How It Works
* Competitive Comparison
* Why Decryption Matters
* Integrations and Automations
* Cybersecurity Services
* Complimentary Shields Up Assessment
* What is Network Detection & Response (NDR)?
* Cloud-Native Security Solutions
* Reveal(x) Enterprise: Self-Managed NDR
SOLUTIONS
* Security
* Cloud
* IT Ops
* Use Cases
* Industries
CUSTOMERS
* Customer Portal Login
* Services Overview
* Training Overview
* Support Overview
PARTNERS
* Channel Overview
* Technology Integration Partners
* Partner Program Information
BLOG
MORE
* About Us
* Contact Us
* News & Events
* Careers
* Resources
* Copyright ExtraHop Networks 2022
* Terms of Use
* Privacy Policy
* Facebook
* Twitter
* LinkedIn
* Instagram
* YouTube
Close
suggested results