Over the past couple of days a developing situation regarding a remote code execution (RCE) vulnerability in Java’s Spring Framework has been surrounded with hype and rumors. Given the confusion, here are a few points and resources to explain.
Despite the seemingly sensationalized and similar nickname, until more is known, this vulnerability is not assessed to be as serious as “log4shell.” However, given this is an RCE vulnerability, utilities are encouraged to have their system administrators review available information and assess impact within your environment.
The following information has been collected from posts by Flashpoint and Tenable.
What is SpringShell (“Spring4Shell”)?
SpringShell was assigned CVE-2022-22965, and is still in RESERVED status. According to the vendor, the vulnerability currently affects JDK 9 and newer versions running on Tomcat as a WAR deployment, but it may have the potential to affect other environments.
A proof-of-concept (PoC) for remote execution has been published and validated for Spring Core. The PoC code leverages this vulnerability to modify Tomcat logging configuration to place shellcode into the log file and then achieve remote code execution.
How severe is Spring4Shell?
An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.
Is there a patch available for Spring4Shell?
As of March 31, Spring Framework versions 5.3.18 and 5.2.20 have been released. According to the vulnerability announcement from Spring, Spring Boot version 2.6.6 and 2.5.12 (both depend on Spring Framework 5.3.18) have been released.
How prevalent is the Spring Framework?
According to Spring Framework, it is the world’s most popular Java framework. The Spring Framework is open-source and very popular for enterprise applications.