Security News > 2022 > March > New Spring Java framework zero-day allows remote code execution
A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell' has been publicly disclosed, allowing unauthenticated remote code execution on applications.
Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features.
Yesterday, a new Spring Cloud Function vulnerability tracked as CVE-2022-22963 was disclosed, with Proof-of-Concept exploits soon to follow.
Information about a more critical Spring Core remote code execution vulnerability was later circulating on the QQ chat service and a Chinese cybersecurity site.
This new Spring RCE vulnerability, now dubbed as Spring4Shell, only affects Spring applications running on Java 9 and above and is caused by unsafe deserialization of passed arguments.
Spring is a very popular application framework for Java applications, raising significant concerns that this may lead to widespread attacks as threat actors scan for vulnerable apps.
News URL
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)
- CUPS flaws enable Linux remote code execution, but there’s a catch (source)
- Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-01 | CVE-2022-22963 | Expression Language Injection vulnerability in multiple products In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | 9.8 |