Critical 0-day vulnerability found in Spring Java framework

Spring Java Framework
Written by Emma Davis

A critical vulnerability called Spring4Shell has been discovered in the popular Spring Java framework. The bug allows remote execution of arbitrary code without authentication.

Spring is a popular framework that allows developers to quickly and easily create Java applications with enterprise-level features. Such applications can be deployed to servers such as Apache Tomcat as standalone packages with all the required dependencies.

A fresh bug in the Spring Cloud Function, CVE-2022-22963, was discovered earlier this week, and yesterday a PoC exploit appeared on the network, though soon it was removed from the public domain. Since many security researchers have managed to download the published code, companies are now warning that the vulnerability is indeed a serious concern.

The issue with Spring4Shell is related to insecure deserialization of passed arguments. While the issue was originally thought to affect all Spring applications running on Java 9 or later, it eventually turned out that there are certain restrictions that must be met for a Spring application to become vulnerable.

CERT/CC Analyst Will Dormann explains that an application must use Spring Beans, Spring Parameter Binding, and Spring Parameter Binding must be configured to use non-basic parameter types such as POJOs.

The information security company Praetorian has also confirmed that the manifestations of the error are associated with certain configurations.

Exploitation requires an endpoint with DataBinder enabled (for example, a POST request that automatically decodes data from the request body), and it all depends heavily on the servlet container for the application. For example, when Spring is deployed on Apache Tomcat, a WebAppClassLoader is available, which allows an attacker to call getters and setters to eventually write a malicious JSP file to disk.

But if Spring is deployed using the Embedded Tomcat Servlet Container, the class loader is the LaunchedURLClassLoader, which has restricted access.

In some configurations, the exploitation of this problem is extremely simple, since it only needs to send a specially prepared POST request to the affected system. However, exploiting [the problem] in other configurations will require more research to find payloads that will be effective.the experts say in the blog.

Since there is no patch for the vulnerability yet, Praetorian describes a way to mitigate the Spring4Shell issue: by disallowing passing certain patterns to the Spring Core DataBinder.

Unfortunately, with all the limitations that the researchers write about, it is reported that hackers are already using the Spring4Shell problem. So, Bleeping Computer writes about attacks using a fresh bug, citing its own sources.

Let me remind you that we also reported that GitHub specialists talked about vulnerabilities in npm, and also that Apache patches a 0-day vulnerability already exploited by hackers.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.