peshkova - stock.adobe.com

Spring4Shell zero-day sprung on security teams

Some are describing a newly disclosed Spring Java framework vulnerability as the next Log4Shell, but what is Spring4Shell, and what can we do about it?

Security researchers and analysts have been poring over a newly uncovered remote code execution (RCE) zero-day vulnerability in the Spring Framework that is being compared by some to Log4Shell in its severity.

Predictably dubbed Spring4Shell or SpringShell in some quarters, it bypasses a previously known vulnerability tracked as CVE-2010-1622. It affects any application built on the Spring Core logging element, and anyone using software built on Spring, which is a widely popular framework comparable in its scale to Apache Struts.

The vulnerability requires Java Development Kit (JDK) 9 or later to be in use in order to exploit, and if exploited, ultimately allows an unauthenticated actor to execute arbitrary code on the target system.

According to Anthony Weems and Dallas Kaman of Praetorian, who were among the first to confirm the vulnerability’s validity, exploitation is comparatively trivial, “as it only requires an attacker to send a crafted HTTP request to a vulnerable system” in some configurations. Exploitation of different configurations will require the attacker to do additional research to find effective payloads, they added.

No patch exists and a public proof-of-concept exploit was swiftly made available, so it is to be anticipated that Spring4Shell will be used in attacks imminently, and probably already has been. Praetorian’s team have issued a temporary mitigation, more details of which can be found in Weems and Kaman’s disclosure notice.

Brian Fox, CTO at Sonatype, whose team has also been investigating Spring4Shell in the past 24 hours, said comparisons with Log4Shell were understandable, but the vulnerability may ultimately not prove as impactful.

“The new vulnerability does seem to allow unauthenticated RCE, but at the same time has mitigations and is not currently at the level of impact of Log4j,” Fox told Computer Weekly in emailed comments.

“We are continuing to look into this to determine how it will shake out, however. We can appreciate the recent Log4shell memory is rightfully causing anxiety in the industry, as Spring is one of the most popular software frameworks out there. Regardless, this should act as another reason for every organisation to take stock of how they are managing their third-party components.”

ExtraHop CISO Jeff Costlow added: “When zero-day exploits like Spring4Shell come to light, organisations are immediately thrust into panic mode, scrambling to determine the potential blast radius of vulnerability.

Read more about zero-days

  • Three zero-days pop up in Microsoft’s March update, along with a number of other noteworthy concerns for defenders.
  • Cyber criminals are turning bugs into exploits faster than ever, according to Rapid7, which found that the average time to known exploitation dropped 71% last year.
  • Google researchers say a Chrome zero-day bug stemming from a use-after-free error was exploited by North Korean hackers against both media and financial targets earlier this year.

“Security teams need to immediately understand what software and devices might be affected and identify whether there are any vulnerable devices in their environment. This can be remarkably challenging because many organisations struggle to maintain an up-to-date inventory of devices in their environment, let alone have the ability to detect software types and versions running on their business devices.”

At the same time, confusion has arisen over a separate vulnerability, reported as CVE-2022-22963, an RCE vulnerability in VMware’s Spring Cloud Function – with some having conflated the two.

According to VMware, CVE-2022-22963 affects versions 3.1.6 and 3.2.2, and older unsupported versions of Spring Cloud Function. It enables a malicious actor to provide a specially crafted Spring Expression Language (SpEL) as a routing expression when using routing functionality, which may give them access to local resources. Releases 3.1.7 and 3.2.3 fix it, so users should upgrade as soon as practical.

Travis Biehn, principal security consultant at Synopsys, said the confusion and the conflation of the two vulnerabilities spoke to wider issues around how disclosures are made and spread within the online cyber community.

He suggested that the severity rating applied to CVE-2022-22963 by VMware may understate its potential impact, while the fact that many influential voices in the community had “initially derided” Spring4Shell as fake news or a simple misunderstanding, might leave defenders at sixes and sevens.

“CVE-2022-22963 is what happens when responsible disclosure is followed – a vendor can minimise the importance of a vulnerability, making it harder to act on,” said Biehn. “Spring4Shell is what happens when responsible disclosure processes aren’t followed – the lack of immediate and fully vetted credible information in a sea of strong personalities makes an already hard job seem impossible.”

Read more on Application security and coding requirements