On March 30, 2022, a Chinese researcher published a GitHub commit that contained an exploit code for a zero-day vulnerability of unauthenticated remote code execution in the Spring Framework. The new RCE vulnerability CVE-2022-22965 is also being nicknamed: Spring4Shell.
Here’s everything you need to know:
What is the Spring4Shell vulnerability?
At this time, in order to understand the vulnerability, we need to understand the components affected by it.
Spring applications that run on Java 9 and above are susceptible to Spring4Shell. In contrast to the Java 8 (and below) versions, in Java 9 the developers committed a change in the Class object in Java, and exposed a method called getModule().
This exposure of a new public method to the Class interface added a new way to dynamically trigger the class loader of the JVM. Prior to Java 9, Spring Framework included proper limitations for triggering the class loader.
This change in Java 9 potentially allows malicious actors to abuse Spring apps that could result in remote code execution.
Does it affect me?
- The app runs on Java 9 and above
- The app based on Spring framework
- The app uses “Spring Parameter Binding” and it has been configured to use a non-basic parameter type, such as POJOs (Plain Old Java Object).
We didn’t find any mention of it having been exploited. Currently, there's also not enough data to understand how widespread it will become. Fortunately, there are some mitigations organizations can put in place, both in code using the Spring framework and at the WAF level.
If this turns out to be a log4j-level problem security teams will need to find and update all the projects that leverage the Spring framework.
As a first step, update to Spring latest version - (5.3.18 at the time of writing).
The Spring4Shell vulnerability is just the latest evidence of how important it is to keep up with emerging vulnerabilities. We recommend that you browse our Remedy Cloud to see recommendations for how to mitigate this vulnerability, and others.
The Vulcan Cyber platform is a valuable partner in mitigating the continuing threat of zero-day vulnerabilities. See it in action.