Search
application-securityspring4shellVulnerability

Understanding your Spring4Shell Risk | Invicti

Read More
Invicti Security Team
392
0

Invicti Security Team – Thu, 31 Mar 2022 –

The recent Spring4Shell vulnerability is serious, but is it the next Log4Shell? This post summarizes what we know so far, how you can mitigate the vulnerability, and what to expect in the coming days.

Your Information will be kept private.

Understand your Spring4Shell Risk

A remote code execution vulnerability identified as CVE-2022-22965 was confirmed in the Spring Framework, the most popular Java framework used to build server-side apps. Not to be confused with CVE-2022-22963 (a different RCE affecting Spring Cloud Functions that surfaced at roughly the same time), this new RCE is being discussed under the name “Spring4Shell.” While the Spring4Shell vulnerability is serious and absolutely needs patching, the current exploits circulating rely on criteria that are not the defaults for most modern Spring applications. Log4Shell, by comparison, also affected the Java ecosystem but was more widely exploitable.

Patches and additional information from Spring are provided here. As always, it is a good idea to patch these vulnerabilities, but a key first step is determining the level of risk for your organization.

The first question that organizations should ask is: Do I run my Java Spring Boot web applications as a standalone app? (ie using a command like java -jar myspring-boot-app-1.0.1.jar). If the answer is yes, the currently circulating exploits are not applicable. These exploits rely on the ability to manipulate the class loader used when running in a Tomcat servlet container which is different from the more limited class loader used in a standalone app. That said, organizations should still make a plan to patch as per standard best practices – the underlying issue is still present and could be exploited in as yet undiscovered ways.

The Invicti security team is working on custom security checks to ensure our customers’ web applications mitigate the potential risk of the circulating Spring4Shell vulnerability and take appropriate action if necessary. We have also confirmed that our products do not use the Spring framework and are not directly affected. We will continue to post here as we learn more about Spring4Shell, and as the Spring4Shell security checks in Invicti and Acunetix are released.

.

Source

Invicti Security Team – Thu, 31 Mar 2022 –

The recent Spring4Shell vulnerability is serious, but is it the next Log4Shell? This post summarizes what we know so far, how you can mitigate the vulnerability, and what to expect in the coming days.

Your Information will be kept private.

Understand your Spring4Shell Risk

A remote code execution vulnerability identified as CVE-2022-22965 was confirmed in the Spring Framework, the most popular Java framework used to build server-side apps. Not to be confused with CVE-2022-22963 (a different RCE affecting Spring Cloud Functions that surfaced at roughly the same time), this new RCE is being discussed under the name “Spring4Shell.” While the Spring4Shell vulnerability is serious and absolutely needs patching, the current exploits circulating rely on criteria that are not the defaults for most modern Spring applications. Log4Shell, by comparison, also affected the Java ecosystem but was more widely exploitable.

Patches and additional information from Spring are provided here. As always, it is a good idea to patch these vulnerabilities, but a key first step is determining the level of risk for your organization.

The first question that organizations should ask is: Do I run my Java Spring Boot web applications as a standalone app? (ie using a command like java -jar myspring-boot-app-1.0.1.jar). If the answer is yes, the currently circulating exploits are not applicable. These exploits rely on the ability to manipulate the class loader used when running in a Tomcat servlet container which is different from the more limited class loader used in a standalone app. That said, organizations should still make a plan to patch as per standard best practices – the underlying issue is still present and could be exploited in as yet undiscovered ways.

The Invicti security team is working on custom security checks to ensure our customers’ web applications mitigate the potential risk of the circulating Spring4Shell vulnerability and take appropriate action if necessary. We have also confirmed that our products do not use the Spring framework and are not directly affected. We will continue to post here as we learn more about Spring4Shell, and as the Spring4Shell security checks in Invicti and Acunetix are released.

.

Source

Previous articleFBI adds LAPSUS$ data extortion gang to its “Most Wanted” list • Graham Cluley
Next articleFake Emergency Search Warrants Draw Scrutiny from Capitol Hill – Krebs on Security
Invicti Security Team

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

0-day

Critical XSS vulnerability in Zimbra exploited in the wild (CVE-2023-34192)

A critical cross site scripting (XSS) vulnerability (CVE-2023-34192) in the popular open...
Helga Labus -
Advertismentspot_img

Latest posts

The MOVEit Zero-Day Vulnerability: How to Respond

admin - 0
The zero-day vulnerability in Progress Software's MOVEit Transfer product is being exploited by the Clop ransomware gang and other copycat cybercriminal groups to expedite...

Ivanti zero-day exploited to target Norwegian government (CVE-2023-35078)

Zeljka Zorz - 0
A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out...

Apple fixed new actively exploited CVE-2023-38606 zero-daySecurity Affairs

Pierluigi Paganini - 0
Apple released security updates to address an actively exploited zero-day flaw in iOS, iPadOS, macOS, tvOS, watchOS, and Safari. Apple released urgent security updates to...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!

© 2024 Pid All rights reserved. Made with by PDS