Spring4shell Java RCE ZeroDay in Spring

A zero-day vulnerability was found in the popular Java Web App development framework Spring likely puts a wide variety of Web apps at risk of remote attack.

The vulnerability dubbed Spring4Shell and SpringShell could be exploited remotely if a Spring application is deployed to an Apache Tomcat server using a common configuration. Independent researchers has confirmed it as a new vulnerability.

Advertisements

Spring4Shell, which has not yet been assigned a Common Vulnerabilities and Exposures (CVE) identifier, will likely require broad patching to make certain that installations are not vulnerable to remote compromise.

The vulnerability targeted by the exploit is different from two previous vulnerabilities disclosed in the Spring framework this week, the Spring Cloud vulnerability (CVE-2022-22963) and the Spring Expression DoS vulnerability (CVE-2022-22950), as per the researchers

In order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous. If present, SpringShell’s impact has the potential of being misconstrued as being more impactful or widespread

A Chinese researcher initially posted the proof of concept in Twitter and deleted it , since vulnerabilities has to be informed to the government prior to posting in public as per the Chinese rules.

The attack currently works for Spring applications deployed to Tomcat, but Spring applications that use Spring Boot and embedded Tomcat, a common mechanism of deployment, are not exploitable.