Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
A newly disclosed remote code execution vulnerability in Spring Core, a widely used Java framework, does not appear to represent a Log4Shell-level threat.
Security researchers at several organizations have now analyzed the vulnerability, which was disclosed on Tuesday. Several media reports have claimed the bug could be the “next Log4Shell” — akin to the RCE bug in Apache Log4j that was disclosed in December and impacted countless organizations.
However, initial analysis suggests the newly disclosed RCE in Spring Core, dubbed “SpringShell” or “Spring4Shell” in some reports, has significant differences from Log4Shell — and most likely is not as severe.
“Although some may compare SpringShell to Log4Shell, it is not similar at a deeper level,” analysts at cyber firm Flashpoint and its Risk Based Security unit said in a blog post.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
The analysts reported that they’ve verified that a published proof-of-concept for the vulnerability is “functional,” which they said validates the vulnerability.
However, while the vulnerability does currently appear to be legitimate, “its impact may not be as severe as initially rumored,” Flashpoint said in a tweet.
Security professional Chris Partridge, who compiled information on the vulnerability on GitHub, wrote that “this does not instinctively seem like it’s going to be a cataclysmic event such as Log4Shell.”
“This vulnerability appears to require some probing to get working depending on the target environment,” Partridge said.
As a result, researchers suggest that while it’s technically possible for the vulnerability to be exploited, the key question is how many real-world applications are actually impacted by it. (BleepingComputer has reported hearing from multiple sources that the vulnerability is being “actively exploited” by attackers.)
“The new vulnerability does seem to allow unauthenticated RCE — but at the same time, has mitigations and is not currently at the level of impact of Log4j,” said Brian Fox, CTO of application security firm Sonatype, in an email to VentureBeat.
The Log4Shell vulnerability, on the other hand, was believed to have impacted the majority of organizations, due to the pervasiveness of the Log4j logging software. The fact that Log4j is often leveraged indirectly via Java frameworks has also made the issue difficult to fully address for many organizations.
No patches yet
In terms of the new Spring Core vulnerability, security engineers at Praetorian said that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. The RCE vulnerability stems from a bypass of CVE-2010-1622, the Praetorian engineers said.
Spring Framework is a popular framework used in the development of Java web applications. At the time of this writing, patches are not currently available.
(The “SpringShell” vulnerability is not the same as the newly disclosed Spring Cloud vulnerability that is tracked at CVE-2022-22963.)
The Praetorian engineers said they have developed a working exploit for the RCE vulnerability. “We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place,” they said in a blog post.
Update (March 30, 10:45 p.m. PST): Researchers disclosed new evidence pointing to a possible impact from Spring4Shell on real-world applications — though examples of affected applications have not yet been reported.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.