Spring Fixes Zero-Day Vulnerability in Framework and Spring Boot

The exploit requires a specific nonstandard configuration to work, limiting the danger it poses, but future research could turn up more broadly usable attacks.

The Spring development team today acknowledged the newly reported SpringShell, also called Spring4Shell, vulnerability, releasing new versions of the Spring Framework and Spring Boot to fix the root cause of the issue in the popular Java frameworks.

The vulnerability — issued by the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22965 — affects applications that use Spring MVC, a framework implementing the model-view-controller architecture for Web applications, and Spring WebFlux, if they run on version 9.0 or higher of the Java Development Kit, according to an advisory the Spring developers issued.

The current exploit for the issue, however, is somewhat limited, as it requires that the application is deployed as a specific type of file — a Web Archive (WAR) file — on Apache Tomcat, rather than the standard deployment method of a Spring Boot executable in the Java Archive (JAR) format.

However, as more security researchers examine the code and search for additional paths through which to exploit the vulnerability, that could change, Spring committer Rossen Stoyanchev warned in the advisory./p>

“The nature of the vulnerability is more general, and there may be other ways to exploit it,” he said.

Time to Patch Spring Apps
Companies should prioritize patching all of their Spring Framework- and Spring Boot-based applications, even if they do not run the specific, known-vulnerable configurations, security experts say. Development teams often do not know their full software bill-of-materials (SBOM), which could leave them unaware of potentially vulnerable configurations.

In addition, these sorts of vulnerabilities tend to “mutate over time as researchers look for other avenues of exploitation,” says Ilkka Turunen, field CTO at Read more:https://bit.ly/3x2MpPF

Leave a Reply

Your email address will not be published.