Will it be as severe as Log4Shell? Opinions differ, but here are some things we need to know about Spring4Shell.

A new zero-day vulnerability in the Spring Core Java framework allowing unauthenticated remote code execution (RCE) on applications has been publicly disclosed. 

In the past few days, security researchers have been warning about Spring4Shell, an RCE bug found in Spring Cloud, that could lead to the compromise of an entire internet-connected host.

Many researchers are also claiming that this new found bug might be the equivalent of the devastating Log4Shell vulnerability that happened late last year.

Cybersecurity experts share their thoughts on Spring4Shell:

Jeff Costlow, CISOExtraHop:

“When zero-day exploits like Spring4Shell come to light, organizations immediately are thrust into panic mode, scrambling to determine the potential blast radius of vulnerability.”

“Given the broad use of Apache Tomcat by developers, this remote code execution vulnerability has huge potential impact. Security teams need to immediately understand what software and devices might be affected and identify whether there are any vulnerable devices in their environment. This can be remarkably challenging because many organizations struggle to maintain an up-to-date inventory of devices in their environment, let alone have the ability to detect software types and versions running on their business devices.”

“We know at this point that the remote code execution vulnerability is present in the Java Spring framework, but it may also be present in other Java applications. It affects Tomcat, a very common connector that joins together a webserver and the Java application. We suspect there may be other vulnerable applications, but are focusing on the attacks that are in the wild. We have reports of scanning already for this vulnerability so it is only a matter of time before a fully weaponized POC is leveraged.”

This is a severe remote code execution zero day that can be accessed over HTTP or HTTPS.  The use of encrypted protocols to exploit this vulnerability, as well as others like Log4Shell, underscores the degree to which encryption is being weaponized by cyber-attackers.  While open source code is truly the building block of our internet and software universe, this vulnerability yet again shines a light on the issue of such an ubiquitous framework in the context of cybersecurity.”

Jonathan Knudsen, Senior Software Strategist, Synopsys Software Integrity Group:

“The Internet is buzzing with talk about two separate vulnerabilities related to different Spring projects. The two are not related, but have been confused because both vulnerabilities were disclosed at nearly the same time.” 

“The first is CVE-2022-22963, tracked in the Black Duck Knowledgebase as BDSA-2022-0850. This is a remote code execution vulnerability in Spring Cloud Function. Issued with a medium severity by vendor VMWare (https://tanzu.vmware.com/security/cve-2022-22963), researchers have since found that achieving remote code execution is possible. An upgrade patch already exists, so affected users are urged to upgrade as soon as possible.” 

“For the second vulnerability, a CVE identifier has not been assigned yet. This is the vulnerability many security researchers have been calling Spring4Shell. Under certain circumstances, it allows an attacker to run arbitrary code, but the ease of exploitation varies with how the code running on Spring Boot is written, and how Spring Boot is run.” 

“Regardless of how Spring4Shell evolves, these two vulnerabilities highlight the importance of knowing what open source components you are using and keeping on top of vulnerabilities as they are disclosed. Software Composition Analysis (SCA) solutions do exactly this. They can produce a software bill of materials (SBOM) for an application and proactively notify you when new vulnerabilities are disclosed in components you have used.”

Travis Biehn, Principal Consultant, Synopsys Software Integrity Group:

“Vulnerabilities impacting two separate spring projects have made the rounds on Twitter and vendor blogs – both of them are high impact remote execution vulnerabilities with many public examples of exploit code.”

“The CVE-2022-22963 disclosure vaguely mentions that attackers can gain access to local resources. While that may technically be accurate, many are arguing that the severity is understated as it could allow remote code execution. This is a must-update-to-patch-and-fix vulnerability. Fortunately, there’s a fix available today.”

“Much more nebulous is a second vulnerability in the more popular Spring Core which, among many other factors, has been recently confirmed as a remote code execution vulnerability without any available patch. Spring4Shell was initially derided by many in the security industry as ‘fake news’ or ‘a misunderstanding’ of commits. These earlier dismissals have been proven wrong, as multiple independent security researchers have stepped up to say that the bug is real and it is exploitable. Combined with early confident dis-information, there is no patch for this vulnerability.”

“When fixes are made available, will decision makers remember Spring4Shell as fake news or a real problem?”

“CVE-2022-22963 is what happens when responsible disclosure is followed – a vendor can minimize the importance of a vulnerability, making it harder to act on. Spring4Shell is what happens when responsible disclosure processes aren’t followed – the lack of immediate and fully vetted credible information in a sea of strong personalities makes an already hard job seem impossible.”