Spring released emergency updates to fix the ‘Spring4Shell’ zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released.
Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed ‘Spring4Shell’ was briefly published on GitHub and then removed.
However, as nothing stays hidden on the Internet, the code was quickly shared in other repositories and tested by security researchers, who confirmed it was a legitimate exploit for a new vulnerability.
Today, Spring has released a security advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9.
The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, and the
“The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment,” reads the Spring advisory.
“If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
Spring says that the vulnerability was responsibly disclosed to them on Tuesday by odeplutos, meizjm3i of AntGroup FG, and they had been developing and testing a fix that was expected to be released today.
However, after a security researcher published the full details online on Wednesday, they pushed the release of the patch forward ahead of the planned release.
The Spring versions that fix the new vulnerability are listed below, with all except Spring Boot available on Maven Central:
- Spring Framework 5.3.18 and Spring Framework 5.2.20
- Spring Boot 2.5.12
- Spring Boot 2.6.6 (not available yet)
Spring Boot 2.6.6 should be released within the next few hours.
While the vulnerability has specific requirements to be exploited, Will Dormann, a vulnerability analyst at CERT/CC, found that even sample code from spring.io was vulnerable.
As developers commonly use sample code as a template for their own apps, there could be many vulnerable apps accessible online.
Spring admins should prioritize deploying these security updates as soon as possible, as Spring4Shell scanners have already been created, and there are reports of the vulnerability already being actively exploited in the wild.