Table of contents
Published: 09:00 CET 19/04/2022
Latest update: 09:00 CET 19/04/2022
The Spring Framework is a popular Java application framework that is commonly deployed using a servlet container such as Apache Tomcat. The Spring Framework provides a comprehensive programming and configuration architecture for modern Java-based corporate applications on any deployment platform.
Spring4Shell is a zero-day vulnerability in the Spring Framework which under some circumstances allows for remote code execution (RCE), if exploited by an attacker. The vulnerability is identified and tracked as CVE-2022-22965, and is rated as “critical”, with a CVSS score of 9.8/10.
Data binding may expose a Spring MVC or Spring WebFlux application running on JDK 9+ to remote code execution (RCE). The application must operate on Tomcat as a WAR deployment to be exploited. The program is not vulnerable to the attack if it is deployed as a Spring Boot executable jar, which is the default. The vulnerability’s nature, though, is more generic, and there may be additional methods to attack it.
The following are requirements for the exploit:
Users of impacted versions should upgrade to version 5.3.18+, and users of version 5.2.x should upgrade to version 5.2.20+. No further action is required.
We have analyzed all TECHNIA Software offerings and, according to presently available information, we do not believe our products are vulnerable to Spring4Shell exploitation. We will, however, continue to actively monitor and analyze the situation as new information becomes available.
Should you have any specific inquiries about this topic, please contact us at [email protected] | Updates will be posted to this page as additional information becomes available.
Dassault Systèmes has released a statement to vendors regarding the Spring4shell Security Exposure.
Atlassian has released a statement regarding the Spring4Shell Security Exposure:
“CVE-2022-22963 is a vulnerability in the Spring Cloud Function package and is unrelated to the subsequently published CVE-2022-22965. Atlassian cloud instances and on-premises products are not vulnerable to any known exploit for CVE-2022-22963.”
Spring have released a statement with information on mitigations and links to updated versions of the affected components.
For more information, and to stay up to date on this issue, please refer to our security partners, Truesec.