Patch now: RCE Spring4shell hits Java Spring framework

You didn't have any plans for the weekend anyway, did you?


Another Java Remote Code Execution vulnerability has reared its head, this time in the popular Spring Framework and, goodness, it's a nasty one.

Dubbed "Springshell" or "Spring4Shell", the vulnerability requires an endpoint with DataBinder enabled. "For example," explained security shop Praetorian, "when Spring is deployed to Apache Tomcat, the WebAppClassLoader is accessible, which allows an attacker to call getters and setters to ultimately write a malicious JSP file to disk."

This is a severe remote code execution zero day that can be accessed over HTTP or HTTPS

"Spring have acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue," said Sonatype, "We recommend an immediate upgrade for all users."

Got weekend plans? You might want to consider cancelling and plan your patching instead.

Spring acknowledged the issue today, which was first reported to VMware on Tuesday evening. The team worked through the investigation on Wednesday and pushed out an emergency release this morning, ahead of the CVE report.

The vulnerability comes hot on the heels of another Spring whoopsie. That one, tracked as CVE-2022-22963, was a Spring Expression language (SpEL) vulnerability in Spring Cloud and unconnected to the latest nasty to crawl out of the woodwork.

Brian Fox, CTO of Sonatype, noted that the new vulnerability had a potentially greater impact than its predecessor. Fox said: "The new vulnerability does seem to allow unauthenticated RCE but at the same time, has mitigations and is not currently at the level of impact of Log4j."

"We can appreciate the recent Log4shell memory is rightfully causing anxiety in the industry," he added, "as Spring is one of the most popular software frameworks out there. Regardless, this should act as another reason for every organization to take stock of how they are managing their third-party components."

Jamie Moles, senior sales engineer at ExtraHop, commented: "While Spring has moved remarkably fast on deploying a patch, this is still a customer responsibility. CISOs need to conduct regular assessment of vulnerabilities and patch them – no vendor is going to do it for them. There will also be many organizations out there who have bought applications that use the Spring framework without their knowledge. In this case, vendors will need to rapidly reach out and inform them that they need to patch.

"It's difficult to predict the final impact, but the IT community and Spring have reacted very quickly. Ultimately, it all depends on how quickly bad actors can undertake reconnaissance for vulnerabilities and add it to their playbook for attacks. Java is in 3 billion devices worldwide, so this has every possibility of becoming a silent but deadly tactic that hackers leverage."

Jeff Costlow, CISO of the org, warned: "This remote code execution vulnerability has huge potential impact."

"We have reports of scanning already for this vulnerability so it is only a matter of time before a fully weaponized POC is leveraged," he said. "This is a severe remote code execution zero day that can be accessed over HTTP or HTTPS."

Spring Core on JDK9+ is where the vulnerability lies and a mitigation has been published by the Praetorian team in the event that it is not possible to apply the fix released by Spring. The Spring team also noted that the vulnerability was not related to the deprecation of SerializationUtils.

Spring is a popular framework, and the vulnerability is a reminder of the importance of knowing what your apps depend on, and how those dependencies are used.

Costlow added: "While open source code is truly the building block of our internet and software universe, this vulnerability yet again shines a light on the issue of such an ubiquitous framework in the context of cybersecurity."

Quite. ®

Similar topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022