Remote Code Execution (RCE) in the Java Spring Framework
Spring Framework Spring4Shell (CVE-2022-22965)1
- CVSS – 9.8 CRITICAL
- Vulnerability Publication Date – 3/31/2022
- Exploits Available
The Spring4Shell Remote Code Execution vulnerability affects Apache Tomcat servers running JDK9+ with Spring library versions prior to 5.2.20 or 5.3.x prior to 5.3.18.
After 26 years of life, Java remains the most popular programming language in the world. The Spring framework is an open-source application framework that can be used in any Java program. The popularity of Spring amongst Java developers is widespread, but according to Checkpoint, only 16% of organizations were affected by Spring4Shell2. The number of affected companies may have been considerably higher, but only a portion of Spring versions were affected.
While Spring4Shell has not risen to the notoriety of Log4Shell, new reports are surfacing that Spring4Shell is being leveraged to spread the Mirai botnet malware through the RCE flaw3. Once the systems are added to the botnet, these bots or “zombies” are leveraged to performed DDoS attacks4.
Recommendations / Remediation
While Spring4Shell is not believed to be as impactful as Log4Shell, organizations should take the time to upgrade their systems and applications to unaffected versions5.
Upgrade to Spring Framework version 5.2.20 or 5.3.18 or later.
**These are generalized recommendations that may not be effective for all organizations and environments. **
FortifyData can detect this vulnerability within your organization. Get for a Free Risk Assessment to see if you are vulnerable.