Summary:
As identified by Jisc, one of our trusted support partners a 0-day Remote Code Execution (RCE) vulnerability in Spring Core, a popular Java framework for building Java applications, has been identified. The RCE vulnerability dubbed “Spring4Shell” has not yet been assigned a CVE, however, reports from various security researchers suggest it is a “Critical” vulnerability.
It is not currently clear what applications are impacted or which specific configurations are required to exploit the Spring4Shell vulnerability. However, researchers have exploited certain environments using the proof-of-concept code that is publicly available.
This is a separate issue to CVE-2022-22963 – a Medium-severity vulnerability in the Spring Cloud Function (patched in Spring Cloud versions 3.1.7 and 3.2.3).
Considerations:
Currently, it is not possible to initiate accurate and efficient scanning on the Janet Network for this vulnerability, however, Jisc is investigating effective scanning methods for this threat.
There is evidence of the vulnerability being actively exploited.
Threat actors who may attempt to utilise this vulnerability to their advantage will be examined.
Vulnerable Versions:
Originally thought to be all Spring Applications running Java 9 and above, it is now reported that other specific configurations are also required for proper exploitation.
Recommendation(s):
Identify if your organisation utilises Spring Core framework and implement logging on the system to monitor for any suspicious activity.
With no patch and a lack of details regarding the vulnerable versions, the current advice for Spring App admins is to apply the mitigations that disallow certain ‘patterns’ described by Praetorian in their blog here:
- Spring Core on JDK9+ is vulnerable to remote code execution – Praetorian
- DataBinder (Spring Framework 5.3.18 API)
- Spring4Shell: Zero-Day Vulnerability in Spring Framework | Rapid7 Blog
References:
- New Spring Java framework zero-day allows remote code execution (bleepingcomputer.com)
- Spring4Shell: Security Analysis of the latest Java RCE ‘0-day’ vulnerabilities in Spring | LunaSec
- Spring Core on JDK9+ is vulnerable to remote code execution – Praetorian
- GitHub – reznok/Spring4Shell-POC: Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit
- Spring4Shell: Zero-Day Vulnerability in Spring Framework | Rapid7 Blog
- DataBinder (Spring Framework 5.3.18 API)
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk