Researchers have discovered the critical vulnerability Spring4Shell in the popular Java framework Spring. Kaspersky experts explain how it works, why it's so dangerous, and how to protect yourself. And: that the whole thing has nothing to do with Log4Shell or Log4j.
Researchers have discovered a critical vulnerability (CVE-2022-22965) in the open source framework of the Java platform "Spring". Details about the vulnerability were already leaked to the public before the official announcement and the corresponding patches were released.
The vulnerability immediately drew the attention of information security specialists as it potentially poses a serious threat to many web applications. Based on the hyped zero-day Log4Shell vulnerability, the newly discovered vulnerability was named Spring4Shell.
Spring4Shell patches already in circulation
The developers of the VMware Spring framework have already released patches for vulnerable applications. We therefore recommend that all companies using Spring Framework versions 5.3 and 5.2 upgrade to versions 5.3.18 or 5.2.20 immediately.
What is Spring4Shell & why is the vulnerability so dangerous?
The vulnerability belongs to the "RCE" (Remote Code Execution) category and allows attackers to execute malicious code remotely. According to the CVSS v3.0 rating system, the vulnerability currently has a 9,8/10 severity and affects Spring MVC and Spring WebFlux applications running on Java Development Kit version 9 or higher.
Researchers reported the discovered vulnerability to VMware on Tuesday night, but a proof-of-concept for the vulnerability was published on GitHub on Wednesday. The PoC was quickly removed, but only after security experts became aware of it. It is highly unlikely that an exploit of this caliber would have gone unnoticed by cybercriminals.
Spring framework popular with developers
The Spring framework is very popular with Java developers, which means potentially many applications could be affected by the vulnerability. According to a post by Bleeping Computer, Spring4Shell-vulnerable Java applications could become the root cause of a large number of servers. According to the same post, the vulnerability is already being actively exploited by cybercriminals.
More technical details and indicators of compromise for the Spring4Shell exploits can be read in our blog post on Securelist. In the same post you can also find details on another critical vulnerability in the Spring Java Framework (CVE-2022-22963).
Exploiting the Spring4Shell vulnerability
The only known Spring4Shell exploit method at the time of publication requires a combination of several factors. For a successful exploit, the following components would need to be used on the attacked side:
- Java Development Kit version 9 or newer;
- Apache Tomcat as servlet container;
- File format WAR (Web Application Resource) instead of the standard JAR;
- spring-webmvc or spring-webflux dependencies;
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or older.
However, it is quite possible that there are other previously unknown exploits and that the vulnerability can be exploited in other ways.
How to protect yourself from Spring4Shell
- The number one piece of advice for anyone using the Spring framework is to upgrade to the secure 5.3.18 or 5.2.20 versions.
- The Apache Software Foundation has also released patched versions of Apache Tomcat 10.0.20, 9.0.62 and 8.5.78.
- Also, Spring developers have released patched versions of Spring Boot 2.5.12 and 2.6.6 extensions which depend on patched Spring Framework version 5.3.18.
If you are unable to update the above software for any reason, you should follow the troubleshooting on the official Spring website.
To minimize the risk of a successful attack, we recommend that you protect all servers and all other computers connected to the Internet with a trusted security solution. If you are already using a Kaspersky security solution, make sure that the Advanced Exploit Prevention and Network Attack Blocker modules are enabled.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/