Recently, two vulnerabilities were announced within the Spring Framework, an open-source framework for building enterprise Java applications. On March 29, 2022, the Spring Cloud Expression Resource Access Vulnerability tracked in CVE-2022-22963 was patched with the release of Spring Cloud Function 3.1.7 and 3.2.3. Two days later on March 31, 2022, Spring released version 5.3.18 and 5.2.20 of Spring Framework to patch another more severe vulnerability tracked in CVE-2022-22965. The CVE-2022-22965 vulnerability allows an attacker unauthenticated remote code execution (RCE), which Unit 42 has observed being exploited in the wild. The exploitation of this vulnerability could result in a webshell being installed onto the compromised server that allows further command execution.
Because the Spring Framework is widely used for web system development and the severity of the vulnerability is critical (CVSS score of 9.8), CVE-2022-22965 is given the name SpringShell (and/or Spring4Shell) by the infosec community.
The zero-day remote code execution (RCE) vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept (PoC) exploit on GitHub before deleting their account.
According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit (JDK) versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.
Spring is a software framework for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.
“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” researchers Anthony Weems and Dallas Kaman said. “However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.”
Additional details of the flaw, dubbed “SpringShell” and “Spring4Shell,” have been withheld to prevent exploitation attempts and until a fix is in place by the framework’s maintainers, Spring.io, a subsidiary of VMware. It’s also yet to be assigned a Common Vulnerabilities and Exposures (CVE) identifier.
It’s worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the application framework this week, including the Spring Framework expression DoS vulnerability (CVE-2022-22950) and the Spring Cloud expression resource access vulnerability (CVE-2022-22963).
Some security experts are tagging this zero-day similar to the log4jshell crisis we met few months back.
If you would like to hear about the latest on cybersecurity, subscribe to our newsletter, follow us on LinkedIn and share the informative articles with your followers on social media.
