Exploitation code for the zero-day vulnerability in Spring Framework for Java applications is published. New Log4Shell flaw

Cybersecurity specialists reported a new critical zero-day vulnerability in the Spring Core Java framework. Successful exploitation would allow remote code execution (RCE) in affected applications. Spring is a framework that allows software developers to quickly and easily develop Java applications with enterprise-grade features. These applications can be deployed on servers and as separate packages with all required dependencies.

A Spring Cloud Function vulnerability tracked as CVE-2022-22963 was identified on Tuesday, with additional reports circulating online since then. Now known as Spring4Shell, the vulnerability only affects Spring applications running on Java 9 and above and is caused by insecure deserialization of past arguments.

A zero-day exploit was briefly leaked during Wednesday morning, though it was enough time for cybersecurity specialists to download the PoC code. This leak allowed confirming that the vulnerability exists, is exploitable and represents a severe security risk.

Researchers from the cybersecurity firm Praetorian also confirmed the existence of the vulnerability, although they specify that successful exploitation requires specific configurations previously established: “The attack requires an endpoint with DataBinder enabled, in addition it depends largely on the servlet container for the application,” mentions the company’s blog.

Experts also note that Spring is commonly used with Apache Tomcat, which means there is great potential for widespread exploitation. To make matters worse, multiple reports indicate that cases of active exploitation have already been detected.

Praetorian describes a way to mitigate the exploitation of Spring4Shell by defining spring core databinder functionality as “pattern-specific blocking.” As this vulnerability has not been addressed, it is strongly recommended that administrators using Spring applications implement these mitigations as soon as possible.

Given the characteristics of the attack, cybersecurity specialists recall the risk that was presented at the end of 2021 with the massive exploitation of Log4j servers after the discovery of a vulnerability known as Log4Shell. This vulnerability allowed hacking groups to install malware and deploy ransomware attacks against affected deployments.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.