Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat
The disclosure of several vulnerabilities affecting the widely used Spring Java framework has led to confusion and concerns that organizations may need to deal with a flaw similar to the notorious Log4Shell.
VMware-owned Spring has been described as the world’s most popular Java framework. Spring is designed to increase speed and productivity by making Java programming easier.
The cybersecurity community started to panic on Wednesday after a Chinese researcher recently made available a proof-of-concept (PoC) exploit for a remote code execution vulnerability affecting the Spring framework’s Core module.
The PoC exploit has since been removed, but researchers who have analyzed it have confirmed that it targets what appears to be an unpatched flaw that can be exploited without authentication. A CVSS score of 10 has been assigned to the bug, but there is no CVE identifier.
Cybersecurity company Praetorian reported that the zero-day vulnerability, which has been dubbed Spring4Shell and SpringShell, appears to be the result of a bypass for an old security hole tracked as CVE-2010-1622.
After the world learned about the existence of Spring4Shell, many in the cybersecurity community warned that the vulnerability could turn out to be worse than the Log4j flaw known as Log4Shell, which has been exploited in many attacks by both profit-driven cybercriminals and state-sponsored threat actors. Concerns were raised due to the apparent ease of exploitation and the widespread use of Spring.
However, a closer analysis revealed that organizations might not need to panic over Spring4Shell. While the PoC exploit released by the Chinese researcher does work, it only works against certain configurations and versions of Java 9 and newer. It’s still unclear how many applications are actually vulnerable to attacks.
The confusion surrounding the Spring4Shell vulnerability is made worse by two other Spring security holes that were disclosed and patched this week. One of them, tracked as CVE-2022-22963, has been described as a medium-severity issue in Spring Cloud Function that can be exploited to access local resources.
The second Spring vulnerability disclosed this week, CVE-2022-22950, is a medium-severity DoS flaw affecting the Spring Framework. Both flaws can be exploited using specially crafted Spring Expression Language (SpEL) expressions.
Many, including some cybersecurity firms, have incorrectly linked CVE-2022-22963 and CVE-2022- 22950 to the Spring4Shell vulnerability.
Akamai told SecurityWeek that it had seen exploitation attempts by attackers and bug bounty hunters since March 27, but the company seems to be referring to CVE-2022-22963, not the vulnerability tracked as Spring4Shell. Akamai has been contacted for clarifications.
There are also other unconfirmed reports of Spring4Shell being actively exploited in attacks, but given the confusion surrounding the vulnerability, these claims should be taken with a grain of salt.
Rapid7 said on Wednesday that it had not seen evidence of exploitation in the wild, and Flashpoint said it had “yet to observe exploitation attempts, or threat actor communications, regarding the SpringShell vulnerability.”
Until a patch becomes available for Spring4Shell, there are temporary mitigations that can be implemented to prevent attacks.