Threat Advisory

Spring4shell

April 1, 2022 | By Accorian

Hello,

Spring has announced a new zero-day weaknesses in the Spring core java framework; an RCE (Remote Code Execution) on an unauthenticated system. Spring is an open-source application framework that provides infrastructure hold up for creating Java applications that can be deployed on servers as discrete packages. Approximately, 70 percent of all Java applications use it – hence, any critical vulnerability identified in spring has a massive impact.

Currently, 2 Remote code execution issues have been confirmed: 

  1. CVE-2022-22965 – On March 29, 2022, a Chinese researcher posted on his Twitter account a POC of Remote Code Execution vulnerability on the Spring Core Java library. It has been named “Spring4Shell” and has been confirmed in Spring Core <=5.3.17 and <=5.2.19 by several sources that leverage class injection. The impact identified is severe. Patches are now available for Spring4Shell in Spring versions 5.3.18 and 5.2.20.
  1. CVE-2022-22963 – In CVE-2022-22963, the spring cloud function permits the HTTP request header spring.cloud.function.routing-expression parameter and SpEL expression to be injected and executed through StandardEvaluationContext. This vulnerability has been confirmed in Spring Cloud Function <=3.1.6 and <=3.2.2. Patches are now available for this CVE in Spring Cloud Function versions 3.1.7 and 3.2.2. 

Engineers and Spring admins should prioritize deploying these security updates as soon as possible because according to Will Dormann, a vulnerability analyst, even the sample codes available on spring.io are vulnerable, and plenty of developers use the codes as a template for their applications. 

Accorian is continuously monitoring the situation and can aid in identifying the vulnerabilities in your infrastructure. Kindly reach out to us.  

Recent Post

    Ready to Start?



      Ready to Start?



        Download Case study




          Download Guide




          Human Resources Director

          Posted On: 09 May, 2022

          Drop your CVs to joinourteam@accorian.com

            Interested Position

            First Name

            Last Name

            Email

            Total Experience

            Mobile Number

            Upload Resume