A zero-day vulnerability was found in the popular Java Web App development framework Spring likely puts a wide variety of Web apps at risk of remote attack.
The vulnerability dubbed Spring4Shell and SpringShell could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration. Independent researchers has confirmed it as a new vulnerability.
Spring4Shell, which has not yet been assigned a Common Vulnerabilities and Exposures (CVE) identifier, will likely require broad patching to make certain that installations are not vulnerable to remote compromise.
The vulnerability targeted by the exploit is different from two previous vulnerabilities disclosed in the Spring framework this week, the Spring Cloud vulnerability (CVE-2022-22963) and the Spring Expression DoS vulnerability (CVE-2022-22950), as per the researchers
In order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous. If present, SpringShell’s impact has the potential of being misconstrued as being more impactful or widespread
A Chinese researcher initially posted the proof of concept in Twitter and deleted it , since vulnerabilities has to be informed to the government prior to posting in public as per the Chinese rules.
The attack currently works for Spring applications deployed to Tomcat, but Spring applications that use Spring Boot and embedded Tomcat, a common mechanism of deployment, are not exploitable.
Though there exist a similarity between Log4shell and Spring4shell, The Spring framework vulnerability does not seem to be as critical as the issues found in Log4j. The attackers need to know the address, including the application’s endpoint, to exploit the vulnerability. Applications that are not exposed to the Internet are safe. In log4j even if the application is not exposed to internet, attackers exploited the flaw.
Spring is owned by VMware is working on an update