BlogCareersContact Us
< Back to Blog

Is the new zero-day vulnerability “Spring4Shell” the next log4shell? Learn how to mitigate

Bar Lanyado
 | Mar 31, 2022

On March 30, 2022, a Chinese researcher published a GitHub commit that contained an exploit code for a zero-day vulnerability of unauthenticated remote code execution in the Spring Framework. The new RCE vulnerability CVE-2022-22965 is also being nicknamed: Spring4Shell.

Here’s everything you need to know: 

What is the Spring4Shell vulnerability?

At this time, in order to understand the vulnerability, we need to understand the components affected by it.

Spring applications that run on Java 9 and above are susceptible to Spring4Shell. In contrast to the Java 8 (and below) versions, in Java 9 the developers committed a change in the Class object in Java, and exposed a method called getModule()

This exposure of a new public method to the Class interface added a new way to dynamically trigger the class loader of the JVM. Prior to Java 9, Spring Framework included proper limitations for triggering the class loader. 

This change in Java 9 potentially allows malicious actors to abuse Spring apps that could result in remote code execution.

Does it affect me?

  • The app runs on Java 9 and above
  • The app based on Spring framework
  • The app uses “Spring Parameter Binding” and it has been configured to use a non-basic parameter type, such as POJOs (Plain Old Java Object).

Has it been actively exploited in the wild?

We didn’t find any mention of it having been exploited. Currently, there’s also not enough data to understand how widespread it will become. Fortunately, there are some mitigations organizations can put in place, both in code using the Spring framework and at the WAF level.

Fixing Spring4Shell

If this turns out to be a log4j-level problem security teams will need to find and update all the projects that leverage the Spring framework.

As a first step, update to Spring latest version – (5.3.18 at the time of writing).

The Spring4Shell vulnerability is just the latest evidence of how important it is to keep up with emerging vulnerabilities. We recommend that you browse our Remedy Cloud to see recommendations for how to mitigate this vulnerability, and others.

The Vulcan Cyber platform is a valuable partner in mitigating the continuing threat of zero-day vulnerabilities. See it in action.

About the Author

Bar Lanyado

Bar is a security researcher who joined Vulcan Cyber after years of experience as a security specialist. He is passionate about uncovering new vulnerabilities and security trends, and helping the community stay ahead of threat actors.

People also read

How to fix the zero day CVE-2022-22620 vulnerability

Read More >

SANS Cloud Security Survey 2022 – highlights

Read More >

What happens when bug bounties don’t work?

Read More >

How to reduce security tech debt – part 2

Read More >

CIS Benchmarks and system hardening: an introduction

Read More >
< Back to Blog
Did you find this interesting? Share it with others: