Spring4Shell & SpringShell: Critical Alert
Thursday 28th April 2022
Summary
Two critical vulnerabilities have recently been discovered (and patched) in the popular Java application development framework known as Spring Framework. These vulnerabilities are classified as critical and are logged under: CVE-2022-22965 and CVE-2022-22963.
There are reports that show that this vulnerability is being exploited by attackers, Trend Micro on Friday 8th April confirmed that this vulnerability is utilised for the download and execution of the Mirai botnet malware.
The vulnerabilities can be used for Remote Code Execution (RCE) against the Spring Framework. The Spring Framework is used to develop enterprise applications in Java and provides a working platform to support MVC (model-view-control) based applications.
As with all vulnerabilities, certain requirements must be met to exploit. As of writing this, the requirements to exploit are:
Spring Framework versions before: 5.2.20, 5.3.18 and JDK 9 or higher
Apache Tomcat as the Servlet container
Spring-webmvc or spring-webflux dependency
Packaged as a Web Application Archive (WAR)
Mitigation Guidance
From looking at the official Spring release on this vulnerability, the preferred option is to update the Spring Framework to versions: 5.3.18 and 5.2.20 or higher. However, in some cases upgrading might not be possible or not within a reasonable time frame, therefore the following can be considered: Upgrading Apache Tomcat, Downgrading to Java 8 and Disallowing fields (disable binding to fields).
Please note that details of this vulnerability were leaked out ahead of the CVE publication, you may find similar articles online that are dated prior to the 1st April. You will also find that the Spring Framework patches were released on the 31st of May.
Please reach out to your Bytes Account Manager if you have any questions or require further information.
Want to keep informed? Sign up to our Newsletter