Spring4Shell vulnerability (CVE-2022-22965) came to light and it’s been a week since the VMware Spring fixed it in new versions of the Spring Framework.
There have been reports of scanning, exploit attempts and attempts to deploy a web shell on vulnerable systems, but it seems that a successful exploitation has yet to be documented.
The US CISA has added Spring4Shell to their Known Exploited Vulnerabilities Catalog. This could lead to attackers achieving RCE capabilities, Spring4Shell is obviously more difficult to exploit than Log4Shell (CVE-2021-44228). Only publicly available PoC exploit works on specific configurations.
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.Spring Statement
Developers of applications using the Spring Framework have been checking whether they are vulnerable and pushing out fixes, offering workarounds and giving out mitigation steps. Even some open source scanning tools are available for scanning
Log4Shell remediation should definitely be a priority right now since it is being actively exploited by attackers, implementing Spring4Shell fixes should be put on the to-do list and performed sooner rather than later.