Spring4Shell and the future of zero-day threats

April 28 2022
 

When zero-day vulnerabilities are discovered, Cisco Secure Application can help deliver the visibility and threat detection your applications need to thwart an attack.


2021 was a record-breaker for zero-day threats with at least 66 identified instances — twice that of 2020 — and each representing the potential for million-plus dollar losses, according to MIT Technology Review. This includes the Log4j vulnerability on December 9, 2021, that caused mayhem as hundreds of millions of devices across the globe were put at risk.

Now, the high value tied to zero-day attacks continues to fuel bad actors as they double down on efforts and global tensions rise. In response, the US Government and 30 allies are collaborating on threat detection as outlined in a fact sheet that warns of potential threats and makes recommendations for companies to lessen their risk. With the Spring4Shell vulnerability exposed at the end of March, the number of zero-day vulnerabilities expected in 2022 appears to be following the previous year’s growth trends. As a result, visibility into application health, threat detection at runtime and the ability to block exploits is a top priority — for good reason — and AppDynamics is here to help!

What happened?! The Spring4Shell vulnerability explained

The Spring4Shell vulnerability (CVE-2022-22965) was exposed and hit mainstream media in late March 2022, causing a flurry of attention due to its resemblance with the Log4j vulnerability. Despite platform differences — Apache vs. Spring — the potential to cause widespread impacts are similar in their degree of popularity and how they target the Java logging library.

As news of Spring4Shell spread and fears of Log4j-like disruptions ensued, notable differences came to light rather quickly. Including the specific conditions required to exploit Spring4Shell that don’t exist for Log4j. For example, Spring MVC or Spring WebFlux applications running on JDK9 or higher – among several other conditions detailed in the VMWare Spring Framework Security Vulnerability Report – are vulnerable. These preconditions reduced the overall likelihood of Spring4Shell being exploited. However, many organizations met the criteria for concern and were left with little option but to rush into addressing the vulnerability.

Spring4Shell can’t hide from Cisco Secure Application

Cisco Secure Application, our Runtime Application Self-Protection (RASP) product, makes it easy for AppDynamics’ to help its customers detect and mitigate the Log4j risk even with vulnerable libraries in place. Similarly, Spring4Shell is quickly detected with application context while devastating attack types, like RCE, can be detected and policy blocked to keep digital environments safe.

Address Spring4Shell with Cisco Secure Application

The image below, from within AppDynamics, shows a visual of Cisco Secure Application identifying where the Spring4Shell vulnerability exists in production:

This is an at-a-glance view of application security risks spanning production and non-production environments; delivering a common frame of reference across CIO and CISO organizations for vulnerability exposure — including observation of vulnerability aging lifespans and trends, with context for the CVE severity as well as the occurrence in application, tier and node — as seen in the chart.

As seen above, Cisco Secure Application drills down into a Spring4Shell vulnerability for more detail including remediation recommendations. And Vulnerability notes help keep team findings consolidated for regulatory or compliance requirements.

Above is an example of Cisco Secure Application blocking an RCE runtime attack against a Spring4Shell library with stack trace detail, keeping digital environments and users safe even when a vulnerable library exists.

AppD Community members, learn more: How do I use AppDynamics with Cisco Secure Application to find vulnerabilities and block exploits?

Why AppDynamics and why now?

In January 2022, the Federal Trade Commission (FTC) warned of massive fines for companies not addressing Log4j. Although the FTC has not issued this warning for the Spring4Shell vulnerability as of the date of this post, these types of vulnerabilities, especially when consumers’ personal information is at risk, can potentially spur financial losses for the unprotected public. With the zero-day threat landscape on the rise, organizations must respond faster to mitigate and resolve threats.

“With the instance of zero-day threats growing, companies need to see and understand their overall risk implications in hours, not days. But without visibility, that’s nearly impossible. We developed Cisco Secure Application to continuously detect and alert in real-time to give customers the speed they require to remediate fast.”

Randy Birdsall, Senior Director Product Management AppSec and Observability, AppDynamics

In 2012, Gartner coined the term “runtime application self-protection” (RASP) and touted it as an emerging security technology that enabled applications to protect themselves. A decade later, Gartner estimates that the majority of online applications don’t use any form of RASP. Yet those using it, including Cisco Secure Application customers, find RASP to be extremely valuable in detecting both Log4j and Spring4Shell vulnerabilities and depend on it to help guard against future zero-day threats.

Blocking zero-day exploits at runtime

At the end of last year, along with much of the world, we were hyper-focused on quickly sharing pertinent Log4j information with our customers. This includes a deep dive into the benefits of Cisco Secure Application that covers the combined value of a security-plus-observability approach to application development and monitoring. Now with the latest zero-day threat exposed, it’s worth mentioning again that our leading-edge runtime application self-protection (RASP) product has the same positive impact on the Spring4Shell vulnerability.

Cisco Secure Application runs in tandem with your code, detecting and blocking exploits while your applications execute that code, no matter where the traffic originates from. It also delivers code-level runtime security via a single, unified APM/security agent with a mere 1% CPU usage, less than 6 ms of latency and 4-6 MB memory. Performance impact and overhead have been a headwind to RASP adoption. Innovating a way to deliver a powerful solution in a low resource footprint is just one of its value-adds that enables enterprise technologists to continuously block exploits at runtime — even in production — and without impacting users or apps.

Zero-day threats: Things to consider

Companies and developers may long for the day when completely secure code is a reality but we’re not there yet. And while we wait, more zero-day threats will be exposed, more companies will pay to safeguard data or risk the alternative and consumers will continue to lose trust when their favorite brand is compromised. As the United States government recommends, companies should build security into products, from the ground up — “bake it in, don’t bolt it on” — to protect both intellectual property and customer privacy.

At AppDynamics, it’s our mission to build solutions that help customers deliver delightful, performant and secure digital experiences. Cisco Secure Application helps protect against serious security threats, with ease-of-use and performance built-in. Today’s users don’t care whether app problems are performance or security-related; they expect apps to work perfectly no matter what. We see a path to delivering this class of experience through Cisco Secure Application without requiring IT teams to work around the clock or compromising security as Log4j, Spring4Shell and other vulnerabilities appear.

Helpful information and resources

Check out our other Spring4Shell-related and application security resources, including a step-by-step guide on how to use Cisco Secure Application to block vulnerabilities.

AppDynamics product investigation and software updates:
Security advisory: CVE-2022-22965 in Spring Framework

AppDynamics Community:
How do I use AppDynamics with Cisco Secure Application to find vulnerabilities and block exploits?

Cisco Talos threat intelligence and detection:
Threat advisory: Spring4Shell

Schedule a demo of Cisco Secure Application:
Schedule a demo

[Webinar] Modern application security trends:
Register here to join us for a lively discussion on app security trends with industry experts: Cryptographer and computer security leader, Bruce Schneier; Cisco lead for security research, Martin Lee and AppDynamics’ Senior Director Product Management AppSec and Observability, Randy Birdsall.

Audrey Nahrvar is a product marketing manager with a background in application security and ethical hacking. Audrey held positions at Autodesk and Shutterfly before joining AppDynamics in 2017 as a security engineer first and then promoted to security architect. In her off hours, Audrey enjoys spending time with her husky, in the mountains.