When casting around for examples to describe log4j, internet security researchers and writers had to go back a few years to find other large vulnerabilities or outages.
With the latest zero day vulnerability, dubbed ‘Spring4Shell’, unfortunately they don’t have to go back that far. With companies and security teams just beginning to get a handle on log4j and the ramifications, an announcement has been made about this newly discovered widespread vulnerability.
On March 29 the first reports of a new remote code execution (REC) vulnerability in the Java web framework Spring (Spring.io) were made public. This has since been named ‘Spring4Shell’ or just SpringShell. Spring4Shell is a zero-day with a freshly assigned CVE identifier CVE-2022-22965. It was confirmed early on by security researchers at Praetorian and Flashpoint as a new remote code execution vulnerability.
The exploit was tweeted out by a Chinese security researcher, the twitter account for which has since been deleted. The deleted tweet contained screenshots, which were quickly recovered and the exploit was reverse engineered from information contained within those screenshots. The vx-underground account then posted a tweet with the zero day proof of concept attached.
On March 30 a proof of concept was published, but there have been no observed exploits in the wild.
The exploit focuses on Spring applications deployed on a Tomcat server, but does not affect SpringBoot with embedded Tomcat. The full prerequisites for exploitation, as detailed by Spring, are:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Spring are clear to say though, that this is a general vulnerability and there may be other ways of exploiting it that have not yet been found.
The specific nature of the vulnerability leads researchers to believe this may not have the wide ranging impact of the log4shell vulnerability. Added to which an attacker would need to know the application’s endpoint in order to exploit the vulnerability.
That said, Spring Framework say they are the most popular Java framework and everywhere throughout the web, with contributions from Alibaba, Amazon, Google, Microsoft, and more.
Spring have released a full statement about the vulnerability, including details about which version of their frameworks are affected and details of how to download the fixed versions, or apply workarounds.
To reassure our customers, no variant of the Spring4Shell vulnerability has been found that would work in the Runecast appliance. Runecast uses embedded Tomcat within a JAR file and the part of the exploit which writes the exploitable JSP file to disk cannot work in this environment.
At Runecast we keep you updated about the latest vulnerabilities, exploits and security research. We pride ourselves on responding quickly and decisively to news like this.
Meet other Runecasters here:
As always, if you have any questions or feedback you can reach out to us via our contact us form or on Twitter.