Organizations worldwide are facing the fallout of the Spring4Shell vulnerability. And Microsoft has reported vulnerabilities in the Spring Framework for Java. But some are questioning the gravity of the exploit.
What is the Spring Framework and Spring4Shell exploit?
The Spring Framework is an Open Source programming and configuration model that provides infrastructure support for developers building Java applications (via Check Point). It is used by millions of web applications and websites and is one of the most popular frameworks for the java programming language. The framework has become popular in the Java community as an addition to the Enterprise JavaBeans (EJB) model.
The Spring4Shell exploit is a zero-day vulnerability in the Spring Core Java framework that may allow unauthenticated remote code execution (RCE) on vulnerable applications. It was publicly disclosed on March 30 before a patch was released.
The vulnerability is newly listed as CVE-2022-22965 by the National Vulnerability Database.
Microsoft responded publicly with a blog on April 4, describing the threat.
“The Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met.
“The vulnerability in Spring Core—referred to in the security community as SpringShell or Spring4Shell—can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.”
SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965, Microsoft Security Blog, updated April 5, 2022
In the course of monitoring attacks against its cloud infrastructure and services, Microsoft said it has been tracking a low volume of exploit attempts but has not seen a significant increase in quantity of attacks or new campaigns as of April 5.
VMWare has also published security updates for Spring4Shell.
How severe is it?
A report at Ars Technica disputed the seriousness of the exploit.
“Hype and hyperbole were on full display this week as the security world reacted to reports of yet another Log4Shell,” according to the report.
And some later reports downplayed the severity, after initial breathless warnings of what could happen.
“While some have compared this security bug's severity level with Log4Shell…this isn't necessarily true given that Spring4Shell only impacts systems with a very particular configuration,” said BleepingComputer.
Some, including Will Dormann, Vulnerability Analyst at the CERT/CC, took a dim view of the initial overreaction to the vulnerability.
But Dormann later revised his initial take and said it actually was a “thing.”
“And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing,” Dormann said in a tweet.
On April 1, the US Cybersecurity and Infrastructure Security Agency (CISA) urged all organizations in the U.S. to patch immediately.