31/03/2022

Spring4Shell Vulnerability

Summary:

As identified by Jisc, one of our trusted support partners a 0-day Remote Code Execution (RCE) vulnerability in Spring Core, a popular Java framework for building Java applications, has been identified. The RCE vulnerability dubbed “Spring4Shell” has not yet been assigned a CVE, however, reports from various security researchers suggest it is a “Critical” vulnerability.  

It is not currently clear what applications are impacted or which specific configurations are required to exploit the Spring4Shell vulnerability. However, researchers have exploited certain environments using the proof-of-concept code that is publicly available. 

This is a separate issue to CVE-2022-22963 – a Medium-severity vulnerability in the Spring Cloud Function (patched in Spring Cloud versions 3.1.7 and 3.2.3). 

Considerations:

Currently, it is not possible to initiate accurate and efficient scanning on the Janet Network for this vulnerability, however, Jisc is investigating effective scanning methods for this threat.   

There is evidence of the vulnerability being actively exploited. 

Threat actors who may attempt to utilise this vulnerability to their advantage will be examined. 

Vulnerable Versions:

Originally thought to be all Spring Applications running Java 9 and above, it is now reported that other specific configurations are also required for proper exploitation.  

Recommendation(s):

Identify if your organisation utilises Spring Core framework and implement logging on the system to monitor for any suspicious activity. 

With no patch and a lack of details regarding the vulnerable versions, the current advice for Spring App admins is to apply the mitigations that disallow certain ‘patterns’ described by Praetorian in their blog here:

References:

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

    Our partners