Understanding your Spring4Shell Risk | Invicti

Invicti Security Team – Thu, 31 Mar 2022 –

The recent Spring4Shell vulnerability is serious, but is it the next Log4Shell? This post summarizes what we know so far, how you can mitigate the vulnerability, and what to expect in the coming days.

Your Information will be kept private.

Understand your Spring4Shell Risk

A remote code execution vulnerability identified as CVE-2022-22965 was confirmed in the Spring Framework, the most popular Java framework used to build server-side apps. Not to be confused with CVE-2022-22963 (a different RCE affecting Spring Cloud Functions that surfaced at roughly the same time), this new RCE is being discussed under the name “Spring4Shell.” While the Spring4Shell vulnerability is serious and absolutely needs patching, the current exploits circulating rely on criteria that are not the defaults for most modern Spring applications. Log4Shell, by comparison, also affected the Java ecosystem but was more widely exploitable.

Patches and additional information from Spring are provided here. As always, it is a good idea to patch these vulnerabilities, but a key first step is determining the level of risk for your organization.

The first question that organizations should ask is: Do I run my Java Spring Boot web applications as a standalone app? (ie using a command like java -jar myspring-boot-app-1.0.1.jar). If the answer is yes, the currently circulating exploits are not applicable. These exploits rely on the ability to manipulate the class loader used when running in a Tomcat servlet container which is different from the more limited class loader used in a standalone app. That said, organizations should still make a plan to patch as per standard best practices – the underlying issue is still present and could be exploited in as yet undiscovered ways.

The Invicti security team is working on custom security checks to ensure our customers’ web applications mitigate the potential risk of the circulating Spring4Shell vulnerability and take appropriate action if necessary. We have also confirmed that our products do not use the Spring framework and are not directly affected. We will continue to post here as we learn more about Spring4Shell, and as the Spring4Shell security checks in Invicti and Acunetix are released.

.

Source

Invicti Security Team – Thu, 31 Mar 2022 –

The recent Spring4Shell vulnerability is serious, but is it the next Log4Shell? This post summarizes what we know so far, how you can mitigate the vulnerability, and what to expect in the coming days.

Your Information will be kept private.

Understand your Spring4Shell Risk

A remote code execution vulnerability identified as CVE-2022-22965 was confirmed in the Spring Framework, the most popular Java framework used to build server-side apps. Not to be confused with CVE-2022-22963 (a different RCE affecting Spring Cloud Functions that surfaced at roughly the same time), this new RCE is being discussed under the name “Spring4Shell.” While the Spring4Shell vulnerability is serious and absolutely needs patching, the current exploits circulating rely on criteria that are not the defaults for most modern Spring applications. Log4Shell, by comparison, also affected the Java ecosystem but was more widely exploitable.

Patches and additional information from Spring are provided here. As always, it is a good idea to patch these vulnerabilities, but a key first step is determining the level of risk for your organization.

The first question that organizations should ask is: Do I run my Java Spring Boot web applications as a standalone app? (ie using a command like java -jar myspring-boot-app-1.0.1.jar). If the answer is yes, the currently circulating exploits are not applicable. These exploits rely on the ability to manipulate the class loader used when running in a Tomcat servlet container which is different from the more limited class loader used in a standalone app. That said, organizations should still make a plan to patch as per standard best practices – the underlying issue is still present and could be exploited in as yet undiscovered ways.

The Invicti security team is working on custom security checks to ensure our customers’ web applications mitigate the potential risk of the circulating Spring4Shell vulnerability and take appropriate action if necessary. We have also confirmed that our products do not use the Spring framework and are not directly affected. We will continue to post here as we learn more about Spring4Shell, and as the Spring4Shell security checks in Invicti and Acunetix are released.

.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!