|
When compiling JSP files in Spring Beans, a class loader (modified by the attacker) will return URLs to resolve TLD files.
TLD files support tag files which are essentially plaintext file containing Java code.
By controlling this URL, the attacker can supply their own TLD/tag file which may contain arbitrary code.
For more information about this attack, see the following FortiGuard Outbreak Alert: FortiGuard Outbreak Alert: Spring4Shell Vulnerability.
What is included in Fortinet_FortiSIEM_Spring4Shell_Vulnerability.zip?
- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.
- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Spring4Shell' and import reports to this group.
- Select the Import option under More.
- Select Fortinet_FortiSIEM_Spring4Shell_Report_v1.xml and import.
4) Use Fortinet_FortiSIEM_Spring4Shell_Rules_v1.xml as the file to import the Rules.
- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Spring4Shell' and import the rules to this group.
- Select the Import.
- Select Fortinet_FortiSIEM_Spring4Shell_Rules_v1.xml and import.
- Filter the rules for those defined in content pack 105 and ensure it is enabled.
https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm
|
