What Is SpringShell? What We Know About the SpringShell Vulnerability
Flashpoint and Risk Based Security have analyzed a new remote code execution (RCE) vulnerability looming in the background, dubbed “SpringShell,” which could affect a wide variety of software. In some circles, SpringShell is being hyped and rumored to be as impactful as Log4Shell. But we are still collecting facts and will continuously update this blog with any information that will help security teams decide if they should prioritize this issue.
Here’s a rundown of what we know about SpringShell right now.
Frequently Asked Questions
Is there a CVE for SpringShell?
SpringShell was disclosed March 29, 2022. As of this publishing, no CVE assignment has been given. However, due to the attention that this vulnerability has been getting, we expect to see MITRE assign a CVE faster than usual.
This should not be confused with CVE-2022-22963 or CVE-2022-27772 as those issues are separate from SpringShell.
Is SpringShell currently exploitable?
On March 30, a proof-of-concept (PoC) was published. However, a fully weaponized exploit has not yet been released. Flashpoint and Risk Based Security analysts have verified that the PoC is functional, making the vulnerability valid. More details are required, but current information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous. If proven true, SpringShell’s impact has the potential of being misconstrued as being more impactful or widespread as it may be.
Although some may compare SpringShell to Log4Shell, it is not similar at a deeper level.
What is the CVSS for SpringShell?
Like almost any remote code execution (RCE) vulnerability, SpringShell has a CVSSv2 score of 10.0 and a CVSSv3 of 9.8. However, since Spring is both a framework and a library, the actual implementation of the vulnerable code may reduce the risk—or, it may manifest in different ways. This could change SpringShell’s impact, increase its access complexity, or require authentication to exploit.
Does SpringShell have limiting factors?
As of this publishing, this issue is reported to affect applications using Spring Framework with Java Development Kit (JDK) 9. It is not clear if systems using a different version of JDK are impacted. If limited to JDK 9, then SpringShell may be far less prevalent than Log4Shell.
How prevalent is the Spring Framework?
According to Spring Framework, it is the world’s most popular Java framework. Major vendors also have contributed to Spring, such as Alibaba, Amazon, and others.
What are threat actors saying about SpringShell?
As of this publishing, Flashpoint analysts have yet to observe exploitation attempts, or threat actor communications, regarding the SpringShell vulnerability.
Track and monitor zero-day vulnerabilities using Flashpoint
Risk Based Security, a Flashpoint company, covers over 284,000 vulnerabilities, including almost 93,000 not reported by CVE/NVD. Sign up for a free trial to get vulnerabilities 21 days faster on average, compared to NVD.
The post What Is SpringShell? What We Know About the SpringShell Vulnerability appeared first on Flashpoint.
*** This is a Security Bloggers Network syndicated blog from Blog – Flashpoint authored by Curtis Kang. Read the original post at: https://www.flashpoint-intel.com/blog/what-is-springshell-what-we-know-about-the-springshell-vulnerability/
