The recent Spring4Shell vulnerability is serious, but is it the next Log4Shell? This post summarizes what we know so far, how you can mitigate the vulnerability, and what to expect in the coming days.
Your Information will be kept private.
Understand your Spring4Shell Risk
A remote code execution vulnerability identified as CVE-2022-22965 was confirmed in the Spring Framework, the most popular Java framework used to build server-side apps. Not to be confused with CVE-2022-22963 (a different RCE affecting Spring Cloud Functions that surfaced at roughly the same time), this new RCE is being discussed under the name “Spring4Shell.” While the Spring4Shell vulnerability is serious and absolutely needs patching, the current exploits circulating rely on criteria that are not the defaults for most modern Spring applications. Log4Shell, by comparison, also affected the Java ecosystem but was more widely exploitable.
Patches and additional information from Spring are provided here. As always, it is a good idea to patch these vulnerabilities, but a key first step is determining the level of risk for your organization.
The first question that organizations should ask is: Do I run my Java Spring Boot web applications as a standalone app? (ie using a command like java -jar myspring-boot-app-1.0.1.jar
). If the answer is yes, the currently circulating exploits are not applicable. These exploits rely on the ability to manipulate the class loader used when running in a Tomcat servlet container which is different from the more limited class loader used in a standalone app. That said, organizations should still make a plan to patch as per standard best practices – the underlying issue is still present and could be exploited in as yet undiscovered ways.
The Invicti security team is working on custom security checks to ensure our customers’ web applications mitigate the potential risk of the circulating Spring4Shell vulnerability and take appropriate action if necessary. We have also confirmed that our products do not use the Spring framework and are not directly affected. We will continue to post here as we learn more about Spring4Shell, and as the Spring4Shell security checks in Invicti and Acunetix are released.
Stay up to date on web security trends
Your Information will be kept private.
.