Spring has released an emergency update to fix the ‘Spring4Shell’ zero-day RCE vulnerability.
An exploit for a zero-day RCE vulnerability in the Spring Framework dubbed ‘Spring4Shell‘ was briefly published on GitHub and then removed. The vulnerability was quickly tested by independent researchers and confirmed it as a new vulnerability
Spring has released an advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9.
The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, the
spring-webflux dependencies impacting Spring MVC and Spring WebFlux applications running on JDK 9+. If deployed as a executable Spring boot jar file then it’s not vulnerable for an attack
The Spring versions that fix the new vulnerability are listed below.
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.5.12
- Spring Boot 2.6.6 (will be released soon)
Spring admins should prioritize deploying these security updates as soon as possible, as Spring4Shell scanners have already been created, and there are reports of the vulnerability already being actively exploited in the wild.