Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat

Spring4Shell

Spring4Shell

The disclosure of several vulnerabilities affecting the widely used Spring Java framework has led to confusion and concerns that organizations may need to deal with a flaw similar to the notorious Log4Shell.

VMware-owned Spring has been described as the world’s most popular Java framework. Spring is designed to increase speed and productivity by making Java programming easier.

The cybersecurity community started to panic on Wednesday after a Chinese researcher recently made available a proof-of-concept (PoC) exploit for a remote code execution vulnerability affecting the Spring framework’s Core module.

The PoC exploit has since been removed, but researchers who have analyzed it have confirmed that it targets what appears to be an unpatched flaw that can be exploited without authentication. A CVSS score of 10 has been assigned to the bug, but there is no CVE identifier.

Cybersecurity company Praetorian reported that the zero-day vulnerability, which has been dubbed Spring4Shell and SpringShell, appears to be the result of a bypass for an old security hole tracked as ​​CVE-2010-1622.

After the world learned about the existence of Spring4Shell, many in the cybersecurity community warned that the vulnerability could turn out to be worse than the Log4j flaw known as Log4Shell, which has been exploited in many attacks by both profit-driven cybercriminals and state-sponsored threat actors. Concerns were raised due to the apparent ease of exploitation and the widespread use of Spring.

However, a closer analysis revealed that organizations might not need to panic over Spring4Shell. While the PoC exploit released by the Chinese researcher does work, it only works against certain configurations and versions of Java 9 and newer. It’s still unclear how many applications are actually vulnerable to attacks.

Advertisement. Scroll to continue reading.

The confusion surrounding the Spring4Shell vulnerability is made worse by two other Spring security holes that were disclosed and patched this week. One of them, tracked as CVE-2022-22963, has been described as a medium-severity issue in Spring Cloud Function that can be exploited to access local resources.

The second Spring vulnerability disclosed this week, CVE-2022-22950, is a medium-severity DoS flaw affecting the Spring Framework. Both flaws can be exploited using specially crafted Spring Expression Language (SpEL) expressions.

Many, including some cybersecurity firms, have incorrectly linked CVE-2022-22963 and CVE-2022- 22950 to the Spring4Shell vulnerability.

Akamai told SecurityWeek that it had seen exploitation attempts by attackers and bug bounty hunters since March 27, but the company seems to be referring to CVE-2022-22963, not the vulnerability tracked as Spring4Shell. Akamai has been contacted for clarifications.

There are also other unconfirmed reports of Spring4Shell being actively exploited in attacks, but given the confusion surrounding the vulnerability, these claims should be taken with a grain of salt.

Rapid7 said on Wednesday that it had not seen evidence of exploitation in the wild, and Flashpoint said it had “yet to observe exploitation attempts, or threat actor communications, regarding the SpringShell vulnerability.”

Until a patch becomes available for Spring4Shell, there are temporary mitigations that can be implemented to prevent attacks.

Related: Log4Shell-Like Vulnerability Found in Popular H2 Database

Related: Log4Shell Tools and Resources for Defenders – Continuously Updated

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...