Spring4Shell – A Critical Remote Execution Found Spring Framework

1 April 2022 [NO.TCSA : 20220401-1-1-P]

PUBLISHED:
1 April 2022

A Critical Remote Execution Found Spring Framework

Security researchers have found a critical security flaw that can lead to remote code execution in the popular Java Spring Framework. The vulnerability was assigned with CVE-2022-22965 with CVSSv3 base score of 9.8 which indicates severity is critical. However, applications are required to be in a special setup for exploitation of Sping4Shell with current available public exploits.

Prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

The applications are not vulnerable to the exploit if they are deployed as a Spring Boot executable jar, which is the default. However, the vulnerability is more widespread, and there may be further ways to exploit it.

Affected Versions

Spring Framework

  • 5.3.0 to 5.3.17
  • 5.2.0 to 5.2.19
  • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. There are other mitigation options available that can find More Information section of the alert.

More Information

21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN