The Spring4Shell vulnerability
A new RCE (Remote Code Execution) vulnerability in Spring Core, known as Spring4Shell, has been discovered, and the latest evidence suggests that it could affect real-world applications.
Spring is a popular Java web application development framework. The Spring4Shell vulnerability, which was publicly disclosed on Tuesday, has been thoroughly analyzed and documented by researchers at a number of cybersecurity firms. Patches are not yet available at this point in time.
Spring Core on JDK (Java Development Kit) 9 and above is affected by the vulnerability, according to Praetorian’s security engineers. The Praetorian engineers claim that the RCE vulnerability is the result of a CVE-2010-1622 bypass. This exploit has been reported to Spring Security and no further information will be released until a patch has been released, the researchers stated in a blog post.
Security professionals have noted that the comparisons between Spring4Shell and the critical Log4Shell vulnerabilities are likely exaggerated, however, analysts Colin Cowie and Will Dormann separately posted confirmations showing that they were able to get an exploit for the Spring4Shell vulnerability to work against sample code supplied by Spring. It’s possible that real-world apps are vulnerable to RCE if the sample code is, too, according to a tweet published by Dormann.
As of this writing, it’s not clear how widespread the vulnerability is, or which specific applications might be affected. To put it another way: if this is true, the risk posed by Spring4Shell is significantly lower than the severity-level RCE vulnerability that was disclosed in December, known as Log4Shell. Since the Apache Log4j logging library was at risk, this vulnerability was assumed to have affected the vast majority of organizations.
On Twitter, Dormann expressed uncertainty about Spring4Shell’s vulnerability to “what actual real-world applications are vulnerable to this security flaw.
In a tweet, he raised the question of is it likely for the flaw to affect mostly just custom-built software that uses Spring and meets the list of requirements to be vulnerable.
It is important to note that the Spring4Shell vulnerability is distinct from the Spring Cloud vulnerability, which is tracked as CVE-2022-22963 and was confusingly disclosed around the same time as Spring4Shell. Cybersecurity firm LunaSec stated in a blog post about Spring4Shell that “this vulnerability is NOT as bad” as the Log4Shell vulnerability, which has much more advanced and complex attack scenarios. Still, Spring4Shell is a vulnerability that should not be overlooked and should be patched as soon as possible.