October 3, 2023

Spring has released an emergency update to fix the ‘Spring4Shell’ zero-day RCE vulnerability.

An exploit for a zero-day RCE vulnerability in the Spring Framework dubbed ‘Spring4Shell‘ was briefly published on GitHub and then removed. The vulnerability was quickly tested by independent researchers and confirmed it as a new vulnerability

Advertisements

Spring has released an advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9.

The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, the spring-webmvc or spring-webflux dependencies impacting Spring MVC and Spring WebFlux applications running on JDK 9+. If deployed as a executable Spring boot jar file then it’s not vulnerable for an attack

The Spring versions that fix the new vulnerability are listed below.

  • Spring Framework 5.3.18 and Spring Framework 5.2.20
  • Spring Boot 2.5.12
  • Spring Boot 2.6.6 (will be released soon)
Advertisements

Spring admins should prioritize deploying these security updates as soon as possible, as Spring4Shell scanners have already been created, and there are reports of the vulnerability already being actively exploited in the wild.

Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: