Development and security teams, software creators, and companies alike were hit once again with another vulnerability when news made its way online of a disclosure of a PoC for an unauthenticated zero-day vulnerability in Spring Core. The disclosure of CVE-2022-22965—nicknamed Spring4Shell—is an RCE vulnerability in one of the most popular open-source frameworks for Java applications in use today. It has a CVSS score of 9.8, which is critical.

The vulnerability could leave millions of apps and websites vulnerable to cyberattacks if it goes unpatched. Please note, details about this vulnerability are still developing and as more information becomes available, we will update you.

According to the announcement, CVE-2022-22965 affects Spring MVC (spring-webmvc) andSpring WebFlux (spring-webflux) when running on JDK 9 or above. In addition, the currently available exploit requires that the application be packaged as a WAR and deployed to Apache Tomcat. Worth noting, however, the vulnerability is more general in nature and hackers could use other ways to exploit it.

It’s currently recommended to update your software to Spring Framework 5.3.18. A backported fix is also available for Spring Framework 5.2.20.

Is this like the Log4j vulnerability?

So soon after Log4j and with the warning that another similar attack was not an “if” scenario but a “when” it would happen, Software developers online called the vulnerability Spring4Shell after Log4Shell, largely because of the Spring Core Framework’s popularity. Chances are, anyone writing Java will have something written in Spring.

Additionally, like Log4j, we can expect additional attacks requiring numerous patches so don’t expect the vulnerability to dissipate anytime soon. There will be different exploitations and different ways to fix those instances in the near future.

There are some differences, however. A lot of people who were using Log4J didn’t know, because it was bundled up and included as a part of an application. With the Spring Framework being a commercial product, there should be clear indicators that it’s in use.

It’s also being said that Spring4Shell is harder to exploit versus Log4j. Hackers will need a greater skill level to exploit the vulnerability.

Check back to our blog for ongoing updates to Spring4Shell. Please also watch this brief conversation between myself and Neeraj Thakur, Product Security Engineer, as we discuss the implications of Spring4Shell, its exploitability and steps organizations should be taking now to mitigate.

Note: As of April 11, 2022 The U.S. Cybersecurity and Infrastructure Agency (CISA) has added Spring4Shell to their Known Exploited Vulnerabilities Catalog.