Spring4Shell CVE-2022-22965, a critical vulnerability has been found in Spring, an open source programming framework for the Java platform. It could allow hackers to take control of your system. Details about the vulnerability were leaked to the public before the patch was released. Fortunately, only a small number of users have been affected.
The VMware developers who created the Spring Framework released patches to fix vulnerable applications, so we recommend that all companies using Spring Framework versions 5.3 and 5.2 immediately upgrade to versions 5.3.18 or 5.2.20.
Why is Spring4Shell vulnerability dangerous?
The vulnerability is serious. An attacker can remotely execute malicious code on your site. The vulnerability is in the RCE class, which means that an attacker can exploit it to do whatever he wants, such as steal credit card numbers or install malware. The vulnerability specifically affects Spring MVC and Spring WebFlux applications running under Java Development Kit version 9 or higher.
The exploit was found in VMware by researchers, sadly not much time was given until a GitHub user published a PoC of the exploit, which was quickly removed. However, cybercriminals have likely already discovered it. This exploit is so powerful that the developers of VMware have been working on a patch since Tuesday night.
According to Bleeping Computer, an awful lot of applications are written using the Spring framework. This means that many web applications could be vulnerable to a new vulnerability. It is being actively exploited in the wild.
Exploiting a Spring4Shell vulnerability
There is currently only one known way to take advantage of this Spring4Shell vulnerability. The exploitation process depends upon the following circumstances:
- Java Development Kit version 9 or later;
- Apache Tomcat as a servlet container;
- WAR (Web Application Resource) file format instead of default JAR;
- Dependencies on spring-webmvc or spring-webflux;
- Spring framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, or older.
It’s also quite possible that there are more yet unknown ways to exploit this vulnerability.
Protecting yourself from Spring4Shell
The Apache Software Foundation has released updated versions of the Spring Framework and Apache Tomcat. Anyone using either should upgrade to version 5.3.18 or 5.2.20 — both of which contain a fix for this vulnerability. The patch closes the attack vector on the Tomcat side, but not on the Spring side, so you’ll need to make sure any code you write yourself is also secure.
VMware, the Spring developers have released patched versions of the Spring Boot 2.5.12 and 2.6.6 extensions to fix security vulnerabilities. These patched versions depend on the patched version of Spring Framework 5.3.18, which was released recently to fix the same vulnerabilities in all of its modules.