A critical vulnerability called Spring4Shell has been discovered in the popular Spring Java framework. The bug allows remote execution of arbitrary code without authentication.
Spring is a popular framework that allows developers to quickly and easily create Java applications with enterprise-level features. Such applications can be deployed to servers such as Apache Tomcat as standalone packages with all the required dependencies.
A fresh bug in the Spring Cloud Function, CVE-2022-22963, was discovered earlier this week, and yesterday a PoC exploit appeared on the network, though soon it was removed from the public domain. Since many security researchers have managed to download the published code, companies are now warning that the vulnerability is indeed a serious concern.
The issue with Spring4Shell is related to insecure deserialization of passed arguments. While the issue was originally thought to affect all Spring applications running on Java 9 or later, it eventually turned out that there are certain restrictions that must be met for a Spring application to become vulnerable.
CERT/CC Analyst Will Dormann explains that an application must use Spring Beans, Spring Parameter Binding, and Spring Parameter Binding must be configured to use non-basic parameter types such as POJOs.
The information security company Praetorian has also confirmed that the manifestations of the error are associated with certain configurations.
But if Spring is deployed using the Embedded Tomcat Servlet Container, the class loader is the LaunchedURLClassLoader, which has restricted access.
In some configurations, the exploitation of this problem is extremely simple, since it only needs to send a specially prepared POST request to the affected system. However, exploiting [the problem] in other configurations will require more research to find payloads that will be effective.the experts say in the blog.
Since there is no patch for the vulnerability yet, Praetorian describes a way to mitigate the Spring4Shell issue: by disallowing passing certain patterns to the Spring Core DataBinder.
Unfortunately, with all the limitations that the researchers write about, it is reported that hackers are already using the Spring4Shell problem. So, Bleeping Computer writes about attacks using a fresh bug, citing its own sources.
Let me remind you that we also reported that GitHub specialists talked about vulnerabilities in npm, and also that Apache patches a 0-day vulnerability already exploited by hackers.
