Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff

Created on ‎04-04-2022 02:39 AM Edited on ‎04-19-2022 01:08 AM

Article Id 208386

Technical Tip: Using FortiSIEM to detect Spring4Shell Vulnerability | CVE-2022-22965

Description This article describes how to use a custom event handler in FortiSIEM to raise incidents related to attacks that attempt to leverage the Spring4Shell Vulnerability.
Scope The FortiSIEM Rules and Reports helps to detect attempts to send specially crafted HTTP requests to vulnerable Spring Core systems in order to inject custom Tag Library Descriptors (TLD) files when compiling JSP files based on logs from FortiGates, FortiADC, and FortiProxy.
Solution

When compiling JSP files in Spring Beans, a class loader (modified by the attacker) will return URLs to resolve TLD files.

 

TLD files support tag files which are essentially plaintext file containing Java code.

By controlling this URL, the attacker can supply their own TLD/tag file which may contain arbitrary code.

 

For more information about this attack, see the following FortiGuard Outbreak Alert: FortiGuard Outbreak Alert: Spring4Shell Vulnerability.


What is included in Fortinet_FortiSIEM_Spring4Shell_Vulnerability.zip?

- A FortiSIEM Rule to help with detection.
- A FortiSIEM Report to help with historical reporting.


- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Spring4Shell' and import reports to this group.


- Select the Import option under More.
- Select Fortinet_FortiSIEM_Spring4Shell_Report_v1.xml and import.

 

4) Use Fortinet_FortiSIEM_Spring4Shell_Rules_v1.xml as the file to import the Rules.


- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Spring4Shell' and import the rules to this group.


- Select the Import.

- Select Fortinet_FortiSIEM_Spring4Shell_Rules_v1.xml and import.
- Filter the rules for those defined in content pack 105 and ensure it is enabled.

 

https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm
Fortinet_FortiSIEM_Spring4Shell_Vulnerability.zip
566
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.