Security News > 2022 > March > Patch now: RCE Spring4shell hits Java Spring framework
Another Java Remote Code Execution vulnerability has reared its head, this time in the popular Spring Framework and, goodness, it's a nasty one.
This is a severe remote code execution zero day that can be accessed over HTTP or HTTPS. "Spring have acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue," said Sonatype, "We recommend an immediate upgrade for all users."
The vulnerability comes hot on the heels of another Spring whoopsie.
"It's difficult to predict the final impact, but the IT community and Spring have reacted very quickly. Ultimately, it all depends on how quickly bad actors can undertake reconnaissance for vulnerabilities and add it to their playbook for attacks. Java is in 3 billion devices worldwide, so this has every possibility of becoming a silent but deadly tactic that hackers leverage."
Spring Core on JDK9+ is where the vulnerability lies and a mitigation has been published by the Praetorian team in the event that it is not possible to apply the fix released by Spring.
Spring is a popular framework, and the vulnerability is a reminder of the importance of knowing what your apps depend on, and how those dependencies are used.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/31/spring_vuln/
Related news
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)