www.darkreading.com Open in urlscan Pro
2606:4700::6811:7563  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 6-11 - Learn More
   
 * Black Hat Spring Trainings - June 13-16 - Learn More
   

Webinars
 * Protecting Industrial Control Systems from Modern Threats
   Apr 13, 2022
 * Network Security Approaches for a Multi-Cloud, Hybrid IT World
   Apr 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Darktrace >

Subscribe
Login
/
Register

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 6-11 - Learn More
   
 * Black Hat Spring Trainings - June 13-16 - Learn More
   

Webinars
 * Protecting Industrial Control Systems from Modern Threats
   Apr 13, 2022
 * Network Security Approaches for a Multi-Cloud, Hybrid IT World
   Apr 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Darktrace >
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

IoT

Physical Security

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Remote Workforce

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 6-11 - Learn More
   
 * Black Hat Spring Trainings - June 13-16 - Learn More
   

Webinars
 * Protecting Industrial Control Systems from Modern Threats
   Apr 13, 2022
 * Network Security Approaches for a Multi-Cloud, Hybrid IT World
   Apr 14, 2022

Resources
Close
Back
Resources
Reports >
Slideshows >
Tech Library >
Webinars >
White Papers >
Partner Perspectives: Darktrace >

--------------------------------------------------------------------------------

Subscribe
Login
/
Register
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.




Announcements
 1. 
 2. 
 3. 
 4. 

Event
Incorporating a Prevention Mindset into Threat Detection and Response | April 27
Webinar | <REGISTER NOW>
Event
PAM for the Extended Enterprise | April 19 Webinar | <REGISTER NOW>
Event
Network Security Approaches for a Multi-Cloud, Hybrid IT World | April 14
Webinar | <REGISTER NOW>
Event
Protecting Industrial Control Systems from Modern Threats | April 13 Webinar |
<REGISTER NOW>
PreviousNext

Vulnerabilities/Threats

4 min read

article



SPRING FIXES ZERO-DAY VULNERABILITY IN FRAMEWORK AND SPRING BOOT

The exploit requires a specific nonstandard configuration to work, limiting the
danger it poses, but future research could turn up more broadly usable attacks.
Robert Lemos
Contributing Writer
March 31, 2022
JV Photo via Alamy
PDF


The Spring development team today acknowledged the newly reported SpringShell,
also called Spring4Shell, vulnerability, releasing new versions of the Spring
Framework and Spring Boot to fix the root cause of the issue in the popular Java
frameworks.



The vulnerability — issued the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2022-22965 — affects applications that use Spring MVC, a
framework implementing the model-view-controller architecture for Web
applications, and Spring WebFlux, if they run on version 9.0 or higher of the
Java Development Kit, according to an advisory the Spring developers issued.

The current exploit for the issue, however, is somewhat limited, as it requires
that the application is deployed as a specific type of file — a Web Archive
(WAR) file — on Apache Tomcat, rather than the standard deployment method of a
Spring Boot executable in the Java Archive (JAR) format.



However, as more security researchers examine the code and search for additional
paths through which to exploit the vulnerability, that could change, Spring
committer Rossen Stoyanchev warned in the advisory./p>



"The nature of the vulnerability is more general, and there may be other ways to
exploit it," he said.

Time to Patch Spring Apps
Companies should prioritize patching all of their Spring Framework- and Spring
Boot-based applications, even if they do not run the specific, known-vulnerable
configurations, security experts say. Development teams often do not know their
full software bill-of-materials (SBOM), which could leave them unaware of
potentially vulnerable configurations.

In addition, these sorts of vulnerabilities tend to "mutate over time as
researchers look for other avenues of exploitation," says Ilkka Turunen, field
CTO at software management and security firm Sonatype.

"What is very typical in a situation like this — just look back three months at
Log4j — there is a ton of attention being cast on the issue, both good and bad,
researchers thinking about the exploitable classes," he says. "However, that
quickly evolves. In Log4j we found four other CVEs come out related to the
original issue, and we expect that to happen here."

The Spring developers first learned of the vulnerability on Tuesday, March 29,
but the details of the issues leaked out before the development team had
finished the patch and disclosure, Spring's Stoyanchev stated in the Spring
advisory.



"On Wednesday we worked through investigation, analysis, identifying a fix,
testing, while aiming for emergency releases on Thursday," he said. "In the mean
time, also on Wednesday, details were leaked in full detail online, which is why
we are providing this update ahead of the releases and the CVE report."

Figuring out whether a company's Spring-based applications are vulnerable will
be difficult for most companies, as this is "a particularly tricky
vulnerability," Edward Wu, senior principal data scientist for ExtraHop, a cloud
cybersecurity firm, said in a statement sent to Dark Reading.

"Most teams have hundreds of vendor-provided software in their environments that
may or may not be running Spring Core," he says. "They often don’t have access
to the source code and will struggle to determine if they’re vulnerable. It will
be important for organizations to be able to query their environment but also
track activity within their network as a single source of truth."

Not the Next Log4j
Overall, however, the vulnerability in Spring falls short of the Log4Shell
exploit for the critical vulnerability in Log4j, even though some companies have
placed the two issues on the same level, Dan Murphy, distinguished architect at
application security provider Invicti, said in a statement.

Spring4Shell, as some companies have named the vulnerability, relies on a
configuration that is not the default for modern Spring applications, he said.
If a company runs their Spring Boot apps as a standalone application, then they
are likely not vulnerable.

"While the Spring4Shell vulnerability is serious and absolutely needs patching,
our initial findings indicate it won't be the next Log4Shell incident," Murphy
said. "That said, organizations should still follow standard best practices and
make a plan to patch. The underlying issue is still present and could
potentially be exploited in as-yet-undiscovered ways."

On Wednesday, several security researchers had confused the new exploit with
information circulating around a second vulnerability that had been disclosed
the prior day. The vulnerability, CVE-2022-22963, affects the Spring Cloud
Function library, but also had been assigned the wrong severity. The Spring
development team upgraded that vulnerability's severity to "Critical" on March
31.

CloudApplication SecurityVulnerability Management
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe

More Insights
White Papers
 * 
   Improving Operations with AI-Assisted Cybersecurity
 * 
   Unlocking Human Potential in SOC Teams With AI-Assisted Cybersecurity

More White Papers
Webinars
 * 
   Protecting Industrial Control Systems from Modern Threats
 * 
   Network Security Approaches for a Multi-Cloud, Hybrid IT World

More Webinars
Reports
 * 
   Rethinking Endpoint Security in a Pandemic and Beyond
 * 
   How Enterprises Are Securing the Application Environment

More Reports

Editors' Choice
6 Reasons Not to Pay Ransomware Attackers
Jai Vijayan, Contributing Writer
Zero-Day Vulnerability Discovered in Java Spring Framework
Robert Lemos, Contributing Writer
HR Alone Can't Solve the Great Resignation
Ashley Gaare, President, SoftwareONE North America
Log4j Attacks Continue Unabated Against VMware Horizon Servers
Jai Vijayan, Contributing Writer
Webinars
 * Protecting Industrial Control Systems from Modern Threats
 * Network Security Approaches for a Multi-Cloud, Hybrid IT World
 * Building and Maintaining an Effective IoT Cybersecurity Strategy
 * Building Security Into the Application Development Lifecycle
 * The ROI Story: Identifying & Justifying Disruptive Technology

More Webinars
White Papers
 * Improving Operations with AI-Assisted Cybersecurity
 * Unlocking Human Potential in SOC Teams With AI-Assisted Cybersecurity
 * Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK
   Coverage
 * The Cyber Threat Impact of COVID-19 to Global Business
 * Protecting Critical Infrastructure: The 2021 Energy, Utilities, and
   Industrials Cyber Threat Landscape Report

More White Papers

Events
 * Black Hat USA - August 6-11 - Learn More
 * Black Hat Spring Trainings - June 13-16 - Learn More
 * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV

More Events
More Insights
White Papers
 * 
   Improving Operations with AI-Assisted Cybersecurity
 * 
   Unlocking Human Potential in SOC Teams With AI-Assisted Cybersecurity

More White Papers
Webinars
 * 
   Protecting Industrial Control Systems from Modern Threats
 * 
   Network Security Approaches for a Multi-Cloud, Hybrid IT World

More Webinars
Reports
 * 
   Rethinking Endpoint Security in a Pandemic and Beyond
 * 
   How Enterprises Are Securing the Application Environment

More Reports

DISCOVER MORE FROM INFORMA TECH

 * Interop
 * InformationWeek
 * Network Computing
 * ITPro Today

 * Data Center Knowledge
 * Black Hat
 * Omdia

WORKING WITH US

 * About Us
 * Advertise
 * Reprints

FOLLOW DARK READING ON SOCIAL

 * 
 * 
 * 
 * 


 * Home
 * Cookies
 * Privacy
 * Terms



Copyright © 2022 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

This site uses cookies to provide you with the best user experience possible. By
using Dark Reading, you accept our use of cookies.

Accept