New Spring Framework RCE  Vulnerability Confirmed – What to do?

Early Wednesday morning (GMT), allegations began to appear on the internet about a new remote code execution flaw that affects Spring Core. This vulnerability, dubbed by some as “Springshell”  in the community, is a new, previously unknown security vulnerability. 

 NOTE: A separate Spring vulnerability CVE-2021-22963 (High) disclosed a few days ago impacts Spring Cloud Function. This is a Spring Expression language SpEL vulnerability in Spring Cloud Function and is NOT related to “Springshell” that impacts Spring Core. Some Twitter posts continue to incorrectly mix the two vulnerabilities.

What is it?

Today, the vulnerability was confirmed by Praetorian security researchers and is in our system with the vulnerability identifier, SONATYPE-2022-1764.We are still investigating other avenues of attack but out of an abundance of caution, and media attention are releasing this advisory now.

The vulnerability affects the spring-core artifact, an extremely popular framework used widely in Java applications, and seems to require JDK9 or newer to be running.  It is a bypass for an older CVE, CVE-2010-1622 that due to a feature in JDK9 or newer seems to have been reinstated. This was confirmed by Praetorian.

This type of vulnerability relies on the software deserializing code, which is at the root of the problem. Older versions of Spring allow for Java Reflection, which is the reason why many Remote Code Execution (RCE) flaws have historically been observed. This means an attacker can poison a payload aimed at a Spring application and gain full control of the system.

Sponsorships Available

Sponsorships Available

Sponsorships Available

This vulnerability affects any application that uses Spring Framework – Spring is one of the most popular frameworks in Java, comparable in scale to Struts, and the vulnerability can be exploited on any JDK9 or newer.

As with historical RCE attacks, it usually is a (Read more...)