Welcome to Spring Scanner - an Infosec Chicago project!
This is a project designed to help people find instances of Spring Framework in response to the CVE-2022-22965 vulnerability.
It should be noted that just because you find an application that has the Spring Framework with this tool, it does not mean that the application is vulnerable. It simply means that you should be checking with the vendor to see if they have released patches to address this vulnerability. If so, you should patch right away. If not, then it might not be a bad idea to reach out to the vendor for confirmation as to whether or not their application is vulnerable (you may even want to ask them to explain why it's not vulnerable if that's the case and compare their reasoning to the "Am I Impacted" page from VMware.
It's not a guarantee, but it does help provide some peace of mind. As VMware points out, Spring is used in lots of applications all over the world, ranging from IoT devices to many applications to Software As A Service and Cloud providers. All our scanner can cover is systems you have direct access to; and even those aren't guaranteed since this is a free service.
That's a tough spot. Try to put pressure on the vendor as much as you can; but in the meantime, try to get those applications as protected as you can. Make sure they aren't directly accessible from the internet (place behind a VPN or something similar if possible), and ensure you have a WAF with rules to cover this vulnerability if you must have applications accessible publicly. For instance, Cloudflare has mitigations available, but they are not enabled by default - you will need to go in and turn them on manually. Keep in mind that without an official patch, you may experience downtime and other usability issues with these applications when such mitigations are in place; so they are not a replacement for vendor supported patches, they are just temporary stop-gaps.
Because I believe in a world where everyone works together for a safer internet. Also, I threw it together really quickly, so it comes without official support or guarantees.
If you found this tool helpful and would like to contribute to future projects that are similar in nature; feel free to check out https://semsec.net/donations/.
Good question. Presence Likely is a pretty obvious field, but the rest probably need a bit of explaining. Essentially the scripts will look for evidence of Spring Framework in the following places:
Classes in java binaries are the most likely to be accurate, the others can occasionally have false positives and may often miss things; but given the cross-platform functionality and limitations of different systems, it seemed best to include all options for best coverage.
You may also notice that you see the same filenames multiple times (especially in the class search) - that is because those files will often include the reference multiple times that the scripts are searching for.
Not necessarily. Some developers may choose to simply overwrite those files with the patched version without changing the name to avoid having to do a full release in the event that doing so does not cause issues to their app. Consult with your vendor to be sure.
No, not necessarily; although you may run a higher risk of a false negative if you do since it may not be able to scan all files; so use your best judgement as to whether or not you want to.