We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20 through August 3. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Learn more about Transformer 2022
Patches are now available for the Spring4Shell vulnerability, and security teams continue to assess the possibility of the remote code execution (RCE) flaw affecting applications. But at the time of this writing, there is still little evidence of a widespread risk from the recently disclosed Spring Core vulnerability.
Organizations are encouraged to assess the situation on their own to determine their level of risk exposure, according to security professionals including Chris Partridge, who compiled details about the Spring4Shell vulnerability on GitHub.
However, “so far no one has found evidence that this is widespread,” Partridge said on the GitHub page. “This is a serious vulnerability, of course, but it only affects non-default Spring Core usage with no proven widespread viability. It’s definitely not log4shell-like.
In a message to VentureBeat, Partridge said, “It’s great that Spring is taking this fix seriously. Hopefully no workaround is found.
Spring is a popular framework used in the development of Java web applications.
On Thursday, Spring published a blog post with details on fixes, operating requirements, and suggested workarounds for Spring4Shell. The RCE vulnerability, which is tracked at CVE-2022-22965, affects JDK 9 or higher and has several additional requirements for it to be exploited, Spring’s blog states.
Among other things, the blog post confirms that the Spring4Shell vulnerability is not Log4Shell 2.0, said Ian McShane, vice president of strategy at Arctic Wolf.
“It’s an NCE, so it’s a priority risk. But the fact that it requires a non-default implementation should limit the scope, especially compared to Log4Shell,” McShane said in an email.
Apache Log4j logging software – which was affected by the Log4Shell vulnerability disclosed in December – was embedded in countless applications and services and was vulnerable by default, he noted.
Spring4Shell, on the other hand, “does not appear to be a comparable risk. But that doesn’t mean organizations can ignore it,” McShane said. “As with all application vulnerabilities, especially those that are Internet-facing by design, you need to know if you’re at risk before you ignore it.”
Despite the similar name to Log4Shell, it’s now clear that Spring4Shell is “definitely not as big,” said Satnam Narang, research engineer at Tenable.
“That said, we’re still in the early stages of determining which apps might be vulnerable, and we’re building on what is known,” Narang said in an email. “There are still question marks if there are other ways to exploit this flaw.”
More precise image
On the contrary, Spring’s blog post only narrows the range of vulnerable instances, said Mike Parkin, senior technical engineer at Vulcan Cyber.
And by clarifying exploitable conditions, the update gives the security community a more accurate picture of potential risks, Parkin said.
“However, attackers can find creative ways to exploit this vulnerability beyond the identified target range,” he said in an email. At this time, however, there are no reports of the vulnerability being exploited in the wild, Parkin noted.
John Bambenek, principal threat hunter at Netenrich, agreed that the vulnerability appears to affect fewer machines than Log4Shell.
Spring4Shell may apply to some specific environments, “but the most dangerous case of embedded or vendor-provided machines are less likely to see this vulnerability,” Bambenek said.
More info still needed
In an update to its blog post on the RCE vulnerability, Flashpoint and its Risk-Based Security Unit said that because Spring Core is a library, “the exploitation methodology will likely change from user to user. ‘other”.
“More information is needed to assess the number of devices running on the necessary configurations,” the updated Flashpoint blog post states.
Sophos threat analyst Colin Cowie and vulnerability analyst Will Dormann separately released confirmations on Wednesday showing that they were able to get an exploit for the Spring4Shell vulnerability to work with sample code provided by Spring.
“If the sample code is vulnerable, then I suspect that there are indeed real-world applications that are vulnerable to RCE,” Dormann said in a post. Tweeter.
Still, at the time of this writing, it’s unclear which specific apps might be vulnerable.
The bottom line is that Spring4Shell is “definitely concerning – but seems to be a bit harder to run successfully than Log4j,” Casey Ellis, founder and CTO of Bugcrowd, said in an email.
Either way, given the high volume of research and discussion around Sping4Shell, advocates would be well advised to mitigate — and/or correct — as soon as possible, Ellis said.
It’s also likely that new flavors of this vulnerability could emerge in the near future, said Yaniv Balmas, vice president of research at Salt Security. “These could impact other web servers and platforms and expand the scope and potential impact of this vulnerability,” Balmas said in an email.
VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Learn more about membership.