Spring4Shell – A Critical Remote Execution Found Spring Framework

1 April 2022 [NO.TCSA : 20220401-1-1-P]

PUBLISHED:
1 April 2022

A Critical Remote Execution Found Spring Framework

Security researchers have found a critical security flaw that can lead to remote code execution in the popular Java Spring Framework. The vulnerability was assigned with CVE-2022-22965 with CVSSv3 base score of 9.8 which indicates severity is critical. However, applications are required to be in a special setup for exploitation of Sping4Shell with current available public exploits.

Prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

The applications are not vulnerable to the exploit if they are deployed as a Spring Boot executable jar, which is the default. However, the vulnerability is more widespread, and there may be further ways to exploit it.

Affected Versions

Spring Framework

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. There are other mitigation options available that can find More Information section of the alert.

More Information

13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
23 June 2023 [NO.TCSA : 20230623-1-1-P]

WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

READ MORE READ MORE
12 June 2023 [NO.TCSA : 20230612-1-1-P]

Fortinet Releases Urgent Patches for Critical Pre-Authentication RCE Vulnerability in Fortigate SSL-VPN Devices

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN