Zero-day vulnerability discovered in Java Spring framework

A zero-day vulnerability found in the popular Java Web application development framework Spring likely puts a wide variety of Web apps at risk of remote attack, security researchers disclosed on March 30.

The vulnerability — dubbed Spring4Shell and SpringShell by some security firms — has caused a great deal of confusion over the past 24 hours as researchers struggled to determine if the issue was new, or related to older vulnerabilities. Researchers with cybersecurity services firm Praetorian and threat intelligence firm Flashpoint independently confirmed that the exploit attacks a new vulnerability, which could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration.

Spring4Shell, which has not yet been assigned a Common Vulnerabilities and Exposures (CVE) identifier, will likely require broad patching to make certain that installations are not vulnerable to remote compromise, says Richard Ford, chief technology officer for Praetorian.

“The impact is relatively broad in terms of what we know to be trivially exploitable at this point,” he says. “Even people who run [non-vulnerable configurations] will likely be recommended to patch, even though — today — we don’t have a working RCE [remote code execution] for it.”

The hands-on research by Praetorian and Flashpoint ended speculation by a variety of security professionals on social media that the proof-of-concept code actually exploited older, already patched vulnerabilities. The vulnerability targeted by the exploit is different from two previous vulnerabilities disclosed in the Spring framework this week — the Spring Cloud vulnerability (CVE-2022-22963) and the Spring Expression DoS vulnerability (CVE-2022-22950), according to researchers studying the issues.

The Retail and Hospitality ISAC also issued a statement that its researchers had confirmed the vulnerability.

Spring, which is now owned and managed by VMware, is currently working on an update, according to Praetorian. At this point, threat actors are not yet communicating about the vulnerability, Flashpoint stated in a blog post.

To read the complete article, visit Dark Reading.