Spring4Shell vulnerability likely to affect real-world apps, analyst says

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn more about Transform 2022

More answers are emerging about the potential risks associated with a newly disclosed remote code execution (RCE) vulnerability in Spring Core, known as Spring4Shell — with new evidence pointing to a possible impact on real-world applications.

While researchers have noted that comparisons between Spring4Shell and the critical Log4Shell vulnerability are likely inflated, multiple researchers on Wednesday posted confirmation that they were able to get an exploit for the Spring4Shell vulnerability to work against sample code supplied by Spring.

“If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE,” vulnerability analyst Will Dormann said in a tweet.

Still, as of this writing, it’s not clear how broad the impact of the vulnerability might be, or which specific applications might be vulnerable.

That alone would appear to suggest that the risk associated with Spring4Shell is not comparable to that of Log4Shell, a high-severity RCE vulnerability that was disclosed in December. The vulnerability affected the widely used Apache Log4j logging library, and was believed to have impacted most organizations.

Still to-be-determined about Spring4Shell, Dormann said on Twitter, is the question of “what actual real-world applications are vulnerable to this issue?”

“Or is it likely to affect mostly just custom-built software that uses Spring and meets the list of requirements to be vulnerable,” he said in a tweet.

Spring is a popular framework used in the development of Java web applications.

Vulnerability details

Researchers at several cybersecurity firms have analyzed and published details on the Spring4Shell vulnerability, which was disclosed on Tuesday. At the time of this writing, patches are not currently available.

Security engineers at Praetorian said Wednesday that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. The RCE vulnerability stems from a bypass of CVE-2010-1622, the Praetorian engineers said.

The Praetorian engineers said they have developed a working exploit for the RCE vulnerability. “We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place,” they said in a blog post.

(Importantly, the Spring4Shell vulnerability is different from the Spring Cloud vulnerability that is tracked at CVE-2022-22963 and that, confusingly, was disclosed at around the same time as Spring4Shell.)

The bottom line with Spring4Shell is that while it shouldn’t be ignored, “this vulnerability is NOT as bad” as the Log4Shell vulnerability, cybersecurity firm LunaSec said in a blog post.

All attack scenarios with Spring4Shell, LunaSec said, “are more complex and have more mitigating factors than Log4Shell did.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Source: Read Full Article