Security News > 2022 > March > Spring patches leaked Spring4Shell zero-day RCE vulnerability

Spring released emergency updates to fix the 'Spring4Shell' zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released.

Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed 'Spring4Shell' was briefly published on GitHub and then removed.

Today, Spring has released a security advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9.

"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment," reads the Spring advisory.

"If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."

Spring admins should prioritize deploying these security updates as soon as possible, as Spring4Shell scanners have already been created, and there are reports of the vulnerability already being actively exploited in the wild.

News URL

https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring4shell-zero-day-rce-vulnerability/