-
Notifications
You must be signed in to change notification settings - Fork 1
/
README.txt
61 lines (48 loc) · 3.5 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
License
THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT.
IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS
Spring Vulnerability Scanner Shell Script:
Description:
This shell script intends to collect necessary details and help detect CVE-2022-22965 and CVE-2022-22963 vulnerabilities reported in Spring.
The script will scan the entire filesystem, including archives (and nested JARs) for the Java libraries, that indicates the Java application contains a vulnerable spring framework or spring cloud library. Once spring QID is introduced in Qualys VM signatures, the output file generated by this script will serve as a data point to assess and report the QID during agent VM scan.
NOTE: Preconditions related to JDK and Tomcat are environmental factors and are not covered by this utility.
For CVE-2022-22965
1. Checking All War and Jar which contains affected jars.
2. Also checking affected jars from local filesystem.
For CVE-2022-22963
1. Looking for all jars on filesystem.
2. Inside jar, look for spring-cloud-function-core and pom.xml, then extract version info it.
Usage:
Supported platforms: Linux(RHEL, CentOS, Ubuntu, Debian, Amazon Linux, and OEL)
Supported architectures: x64
How to run the script?
1) Create and save a script (.sh) file using any text editor.
2) Execute the script file using shell script. Use the following commands:
LINUX: (detects WARs and JARs)
sh <script-name>.sh [base_dir] [network_filesystem_scan<true/false>]
Here, <script-name> is actual script name.
(default: [base_dir]=/ [network_filesystem_scan]=false)
For example: sh ./spring_findings.sh /home false
The script’s standard output will be redirected to: /usr/local/qualys/cloud-agent/spring_findings.stdout
Any error occurring during its execution is redirected to: /usr/local/qualys/cloud-agent/spring_findings.stderr
If the agent is not installed, the script will create the following directory and dump the standard output and error in files within it.
/usr/local/qualys/cloud-agent/
Sample output:(/usr/local/qualys/cloud-agent/spring_findings.stdout)
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-webmvc-5.3.17.jar
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-boot-2.6.5.jar
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-boot-autoconfigure-2.6.5.jar
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-beans-5.3.17.jar
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-core-5.3.17.jar
Path= /home/qagent/ROOT.war/WEB-INF/lib/spring-boot-jarmode-layertools-2.6.5.jar
------------------------------------------------------------------------
Path= /home/qagent/spring-cloud-function-core-3.2.3.jar, SpringCloudCore Version: 3.2.3
------------------------------------------------------------------------
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-webmvc-5.3.17.jar
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-boot-2.6.5.jar
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-boot-autoconfigure-2.6.5.jar
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-beans-5.3.17.jar
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-core-5.3.17.jar
Path= /home/nonroot/ROOT.war/WEB-INF/lib/spring-boot-jarmode-layertools-2.6.5.jar
------------------------------------------------------------------------
Path= /home/nonroot/spring-cloud-function-core-3.2.3.jar, SpringCloudCore Version: 3.2.3
------------------------------------------------------------------------