What happened?

An important new Spring vulnerability came out on March 31st, after a researcher published a proof-of-concept exploit that could remotely install a web-based remote control backdoor, known as a web shell, on a vulnerable system. This poses a severe risk to the businesses, since such a vulnerability could allow an attacker to take control of the vulnerable applications. It’s important to note that this vulnerability, dubbed as Spring4Shell, corresponds to the CVE-2022-22965, because shortly before this all happened, another critical Spring vulnerability, CVE-2022-22963, also came out. 

What products are affected?

This vulnerability affects two Spring products: Spring MVC and Spring WebFlux, both frameworks for web development. According to Spring maintainers, this vulnerability only applies when the application is run on top of Apache Tomcat, a web server software, and when it’s deployed as a file known as WAR, as opposed to an executable jar (for instance). Nonetheless, it’s still unknown if the scope of the vulnerability is strictly limited to that stack of software or if it’s possible to craft a variation of the original proof of concept to increase its surface of impact.

Is there a mitigation patch or update?

According to the Spring website, an update is available to remediate this problem (Spring Framework 5.3.18 and 5.2.20 or greater). But since it’s not possible to upgrade every application out there, the Spring community suggests a few workarounds like upgrading Apache Tomcat or downgrading Java. 

Think you’ve been exposed?

If you think you may be at risk of this CVE, you need to have a scan run ASAP to confirm. Red Sentry’s exploit engine can perform a proof of concept to confirm your vulnerability status. Reach out today for a free Spring4Shell scan.

Learn how AI and Machine Learning are changing Pentesting.