Vulnerabilities Spring Cloud, Spring Core, Spring4Shell

Tenable news

Share post

Tenable explains the new vulnerabilities Spring Cloud, Spring Core - also known as Spring4Shell - which have nothing to do with Log4j or Log4Shell, even if the name suggests it. However, Spring4Shell remains unpatched as of now, making it a zero-day vulnerability.

Satnam Narang, Staff Research Engineer, Tenable, discusses the differences between two vulnerabilities that are making the news right now - Spring Cloud and Spring Core (aka Spring4Shell). He also provides a blog with FAQ about Spring4Shell.

Spring4Shell has nothing to do with Log4Shell

“On March 29, VMware released an advisory for a vulnerability in Spring Cloud Function (CVE-2022-22963), a framework for implementing business logic over functions. The vulnerability currently has a CVSSv3 rating of 5.4. However, since the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, the CVSSv3 assessment does not appear to reflect the true impact of this flaw.

Both vulnerabilities are critical

There have been reports linking CVE-2022-22963 to a separate alleged remote code execution vulnerability in Spring Core, dubbed Spring4Shell or SpringShell. Spring4Shell has not been assigned a CVE, adding to the confusion. Although both vulnerabilities are critical remote code execution vulnerabilities, they are two different vulnerabilities affecting different applications:

CVE-2022-22963 exists in Spring Cloud Function, a serverless framework that is part of Spring Cloud while
Spring4Shell is included in the Spring Framework, a programming and configuration model for Java-based enterprise applications.

Spring4Shell nothing as common as Log4Shell

Despite the naming convention that bears a resemblance to Log4Shell, Spring4Shell is unrelated and doesn't appear to be as big as Log4Shell. Spring4Shell has some non-standard configuration requirements, although it's unclear which applications implement them. Just like Log4Shell, it will take some time before we know the full scope and impact of Spring4Shell, but we can say that it will not be as significant as Log4Shell.

Patches exist for CVE-2022-22963 and are available for specific versions of Spring Cloud Function. As of this writing, there is no patch for Spring4Shell, making it zero-day. We expect more details to come to light shortly.”

More at Tenable.com

 


About Tenable

Tenable is a Cyber ​​Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.


 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more