Security News > 2022 > April > Spring4Shell: New info and fixes (CVE-2022-22965)
In this video for Help Net Security, Ax Sharma, Senior Security Researcher at Sonatype, talks about the latest developments regarding Spring4Shell, the unauthenticated RCE zero-day vulnerability in Spring Core whose existence has finally been confirmed by its developers.
Spring4Shell has been catalogued as CVE-2022-22965 and fixed in Spring Framework 5.3.18 and 5.2.20, and Spring Boot 2.5.12 and 2.6.6.
"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment," Spring Framework developers have explained.
"If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
Sharma offers a short rundown of the situation so far, clears up some misconceptions, and offers advice on what organizations with vulnerable apps should do next - both to plug CVE-2022-22965 and CVE-2022-22963, a RCE in the Spring Cloud Function library, as PoC exploits for both are available online and both are considered to be critical.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-01 | CVE-2022-22965 | Code Injection vulnerability in multiple products A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | 9.8 |
| 2022-04-01 | CVE-2022-22963 | Expression Language Injection vulnerability in multiple products In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. | 9.8 |