Hot off the heels of the recent Chrome zero-day exploit, Spring, the popular Java framework designed to help developers build Java-based applications, has disclosed a zero-day vulnerability affecting its platform, referred to online as Spring4Shell.
Prior to CVE-2022-22965 being published, full details of the vulnerability were leaked online, leaving developers scrambling to address the issue.
Are you impacted?
The requirements for the vulnerability are very specific, potentially minimizing the impact on users, however, if you utilize the Spring framework you'll definitely want to ensure your systems are safe. Here are the requirements according to Spring.io:
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
spring-webmvc or spring-webflux dependency
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Even if you do not meet these prerequisites, it's important to keep in mind that the details of this exploit are very new, and certain aspects of the vulnerability may still be unknown at this time.
From Spring:
The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
What to do if you're affected by Spring4Shell
If you are impacted by this vulnerability, it is highly recommended that you update to the latest Spring Framework versions, which have just been released. Users currently running version 5.2* should upgrade to 5.2.20+, and users running version 5.3* should upgrade to version 5.3.18+.
Again, the information surrounding this vulnerability is very new, and other attack vectors and prerequisites may be unknown at this point. Even if you've implemented the recommended upgrades, it's critical to keep an eye on this vulnerability as new information becomes available.
PDQ is dedicated to helping IT teams keep their networks secure. To stay up to date with the latest information regarding this vulnerability, bookmark this article which will be updated with any new relevant information as it becomes available.