The public disclosure of many vulnerabilities affecting the widely used Spring Java framework has caused consternation and fears that corporations may be forced to cope with a weakness comparable to the infamous Log4Shell flaw.
VMware-owned Spring has been dubbed “the most popular Java framework on the planet.” Spring is a Java programming framework that aims to boost speed and productivity.
On Wednesday, the cybersecurity world went into a panic as a Chinese researcher released a proof-of-concept (PoC) attack for a remote code execution vulnerability in the Spring framework’s Core module.
Although the proof-of-concept exploit has since been withdrawn, researchers that have examined it have confirmed that it targets an unpatched hole that may be exploited without authentication. The defect has been assigned a CVSS score of 10, but there is no CVE identifier.
The zero-day vulnerability, called Spring4Shell and SpringShell, appears to be the consequence of a bypass for an earlier security weakness listed as CVE-2010-1622, according to cybersecurity firm Praetorian.
Many in the cybersecurity sector cautioned that once the world learned about Spring4Shell, it could turn out to be much worse than the Log4j issue known as Log4Shell, which has been used in numerous assaults by both profit-driven cybercriminals and state-sponsored threat actors. The apparent ease of exploitation and broad use of Spring has prompted concerns.
However, a closer examination indicated that businesses may not need to be concerned about Spring4Shell. While the Chinese researcher’s proof-of-concept exploit works, it only works with specific settings and Java 9 and subsequent versions. It’s still unclear how many apps are vulnerable to cyber-attacks.
The leaked PoC for this one does not work on an out of the box install. It relies on essentially introducing a vulnerability.
So far this continues to look like a vulnerability hype train without a real world risk.
— Kevin Beaumont (@GossiTheDog) March 30, 2022
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock “Handling Form Submission” sample code from https://t.co/dt05rTPbGQ
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE… https://t.co/PFXoIusFcT pic.twitter.com/2gydOJk10Y
— Will Dormann (@wdormann) March 31, 2022
Two other Spring security weaknesses were disclosed and patched this week, adding to the confusion around the Spring4Shell issue. One of them, identified as CVE-2022-22963, is a medium-severity vulnerability in Spring Cloud Function that can be used to access local resources.
CVE-2022-22950, the second Spring flaw disclosed this week, is a medium-severity DoS flaw affecting the Spring Framework. Using specifically crafted Spring Expression Language (SpEL) expressions, both weaknesses can be exploited.
CVE-2022-22963 and CVE-2022-22950 have been falsely connected to the Spring4Shell vulnerability by many, including several cybersecurity firms.
Since March 27, Akamai has witnessed exploitation attempts from attackers and bug bounty hunters, although the firm appears to be referring to CVE-2022-22963, not the Spring4Shell issue. For more information, Akamai has been contacted.
There are also unsubstantiated allegations of Spring4Shell being actively exploited in attacks, although these assertions should be treated with a grain of salt considering the ambiguity surrounding the vulnerability.
On Wednesday, Rapid7 stated it had not seen any indication of exploitation in the wild, while Flashpoint said it had “yet to notice exploitation efforts, or threat actor contacts, referencing the SpringShell vulnerability.”
There are interim mitigations that can be performed to avoid attacks until a fix for Spring4Shell is ready.