An unauthenticated remote code execution vulnerability has been publicly disclosed in the Spring Core Java framework.
CVE-2022-22965, dubbed Spring4Shell, is a Critical vulnerability with publicly available and valid Proof-of-Concept code.
CVSS 3.1: 9.8 (base) / 8.5 (temporal) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:R
Initially there was some hype that this vulnerability could be a repeat of Log4Shell. Reports had stated that all versions of Spring Core on JDK 9+ were vulnerable. However researchers later determined that Spring Core must be deployed in a particular way to be vulnerable.
Spring also issues the following requirements for successful exploitation:
– JDK 9 or higher
– Apache Tomcat as the Servlet container
– Packaged as WAR
– spring-webmvc or spring-webflux dependency
“If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit,” the statement reads.
As the story evolves in this case we will update our spotit bulletin.
Spring has updated Spring Framework to 5.3.18 and 5.2.20 to patch the vulnerability. Spring Boot which includes Spring Framework has also been updated to 2.6.6 and 2.5.12.
Palo Alto Networks published an in-depth report on Spring4Shell and advice that NGFW’s with a Threat Prevention subscription can block traffic related to this vulnerability.
A separate vulnerability was also disclosed in Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions. CVE-2022-22963 is a Critical remote code execution vulnerability and we will also update this bulletin should this case evolve further.