Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

More answers are emerging about the potential risks associated with a newly disclosed remote code execution (RCE) vulnerability in Spring Core, known as Spring4Shell — with new evidence pointing to a possible impact on real-world applications.

While researchers have noted that comparisons between Spring4Shell and the critical Log4Shell vulnerability are likely inflated, analysts Colin Cowie and Will Dormann separately posted confirmations Wednesday, showing that they were able to get an exploit for the Spring4Shell vulnerability to work against sample code supplied by Spring.

“If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE,” Dormann said in a tweet.

Still, as of this writing, it’s not clear how broad the impact of the vulnerability might be, or which specific applications might be vulnerable.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

That alone would appear to suggest that the risk associated with Spring4Shell is not comparable to that of Log4Shell, a high-severity RCE vulnerability that was disclosed in December. The vulnerability affected the widely used Apache Log4j logging library, and was believed to have impacted most organizations.

Still to-be-determined about Spring4Shell, Dormann said on Twitter, is the question of “what actual real-world applications are vulnerable to this issue?”

“Or is it likely to affect mostly just custom-built software that uses Spring and meets the list of requirements to be vulnerable,” he said in a tweet.

Spring is a popular framework used in the development of Java web applications.

Vulnerability details

Researchers at several cybersecurity firms have analyzed and published details on the Spring4Shell vulnerability, which was disclosed on Tuesday. At the time of this writing, patches are not currently available.

Security engineers at Praetorian said Wednesday that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. The RCE vulnerability stems from a bypass of CVE-2010-1622, the Praetorian engineers said.

The Praetorian engineers said they have developed a working exploit for the RCE vulnerability. “We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place,” they said in a blog post.

(Importantly, the Spring4Shell vulnerability is different from the Spring Cloud vulnerability that is tracked at CVE-2022-22963 and that, confusingly, was disclosed at around the same time as Spring4Shell.)

The bottom line with Spring4Shell is that while it shouldn’t be ignored, “this vulnerability is NOT as bad” as the Log4Shell vulnerability, cybersecurity firm LunaSec said in a blog post.

All attack scenarios with Spring4Shell, LunaSec said, “are more complex and have more mitigating factors than Log4Shell did.”

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.