The new Spring4Shell vulnerability, which affects the widely used Spring Java framework, raises fears that companies may have to deal with a similar vulnerability to Log4Shell.
Spring, a VMware company, has been called the world’s most popular Java framework. It is designed to increase speed and productivity by simplifying Java programming. A Chinese researcher published a proof-of-concept (PoC) for a vulnerability in remote code execution that affects the core module of Spring on Wednesday, March 30, putting cybersecurity managers on high alert. The released PoC exploit works, but only with certain configurations and versions of Java 9 and newer. It is still unclear how many applications are actually vulnerable to attacks.
According to Spring, these properties make configurations vulnerable:
- JDK 9 or higher
- Apache Tomcat for deploying the application
- Packaged as a traditional WAR (as opposed to an executable Spring Boot Jar)
- Dependencies spring-webmvc or spring-webflux
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19 and older versions
Matt Hubbard, Director, Market Intelligence at Armis
“The vulnerability is of a general nature, and it is conceivable that it can be exploited in other ways that have not yet been reported. IT security teams can better respond to threats from Spring4Shell and improve the overall security situation in the company by knowing all assets in the network and knowing which of them may be affected by this and other critical vulnerabilities,” says Matt Hubbard, Director, Market Intelligence at Armis . “The right asset management, better IT hygiene and threat detection and response can protect against these vulnerabilities.“