Spring4Shell – A Critical Remote Execution Found Spring Framework

1 April 2022 [NO.TCSA : 20220401-1-1-P]

PUBLISHED:
1 April 2022

A Critical Remote Execution Found Spring Framework

Security researchers have found a critical security flaw that can lead to remote code execution in the popular Java Spring Framework. The vulnerability was assigned with CVE-2022-22965 with CVSSv3 base score of 9.8 which indicates severity is critical. However, applications are required to be in a special setup for exploitation of Sping4Shell with current available public exploits.

Prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

The applications are not vulnerable to the exploit if they are deployed as a Spring Boot executable jar, which is the default. However, the vulnerability is more widespread, and there may be further ways to exploit it.

Affected Versions

Spring Framework

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. There are other mitigation options available that can find More Information section of the alert.

More Information

9 March 2023 [NO.TCSA : 20230309-1-1-P]

A Critical Code Execution Flaw Found in FortiOS and FortiProxy Administrative Interfaces

READ MORE READ MORE
20 February 2023 [NO.TCSA : 20230220-1-1-P]

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

READ MORE READ MORE
16 January 2023 [NO.TCSA : 20230116-1-1-P]

Cacti Crisis: Severe Vulnerability Exploited in the Wild

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN