Tenable explains the new vulnerabilities Spring Cloud, Spring Core - also known as Spring4Shell - which have nothing to do with Log4j or Log4Shell, even if the name suggests it. However, Spring4Shell remains unpatched as of now, making it a zero-day vulnerability.
Satnam Narang, Staff Research Engineer, Tenable, discusses the differences between two vulnerabilities that are making the news right now - Spring Cloud and Spring Core (aka Spring4Shell). He also provides a blog with FAQ about Spring4Shell.
Spring4Shell has nothing to do with Log4Shell
“On March 29, VMware released an advisory for a vulnerability in Spring Cloud Function (CVE-2022-22963), a framework for implementing business logic over functions. The vulnerability currently has a CVSSv3 rating of 5.4. However, since the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, the CVSSv3 assessment does not appear to reflect the true impact of this flaw.
Both vulnerabilities are critical
There have been reports linking CVE-2022-22963 to a separate alleged remote code execution vulnerability in Spring Core, dubbed Spring4Shell or SpringShell. Spring4Shell has not been assigned a CVE, adding to the confusion. Although both vulnerabilities are critical remote code execution vulnerabilities, they are two different vulnerabilities affecting different applications:
CVE-2022-22963 exists in Spring Cloud Function, a serverless framework that is part of Spring Cloud while
Spring4Shell is included in the Spring Framework, a programming and configuration model for Java-based enterprise applications.
Spring4Shell nothing as common as Log4Shell
Despite the naming convention that bears a resemblance to Log4Shell, Spring4Shell is unrelated and doesn't appear to be as big as Log4Shell. Spring4Shell has some non-standard configuration requirements, although it's unclear which applications implement them. Just like Log4Shell, it will take some time before we know the full scope and impact of Spring4Shell, but we can say that it will not be as significant as Log4Shell.
Patches exist for CVE-2022-22963 and are available for specific versions of Spring Cloud Function. As of this writing, there is no patch for Spring4Shell, making it zero-day. We expect more details to come to light shortly.”
More at Tenable.com
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.