Security News > 2022 > April > CISA adds Spring4Shell to list of exploited vulnerabilities

It's been almost a week since the Spring4Shell vulnerability came to light and since the Spring development team fixed it in new versions of the Spring Framework.

We might not have all the facts: The US Cybersecurity and Infrastructure Agency has added Spring4Shell to their Known Exploited Vulnerabilities Catalog on Monday.

Though it could lead to attackers achieving remote code execution capabilities, Spring4Shell is obviously more difficult to exploit than Log4Shell, and there's not a glut of different PoCs for it.

"The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it," Spring developers noted.

As Bob Rudis, Rapid7's Chief Security Data Scientist pointed out, exploiting Spring4Shell requires attackers to have knowledge about the target environs - knowledge that might come in handy for more effective attacks.

While Log4Shell remediation should definitely be a priority right now since it is being actively exploited by attackers, implementing Spring4Shell fixes should be put on the to-do list and performed sooner rather than later.

News URL

https://www.helpnetsecurity.com/2022/04/05/spring4shell-exploited/