Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Application Security
A zero-day remote code execution (RCE) vulnerability was discovered in the Spring framework shortly after a Chinese security researcher briefly disclosed a proof-of-concept (PoC) exploit on GitHub before deleting their account.
According to cybersecurity firm Praetorian, the unpatched flaw affects Spring Core on Java Development Kit (JDK) versions 9 and later and is a workaround for another vulnerability identified as CVE-2010-1622, allowing an unauthenticated attacker execute arbitrary code on the target system. .
Spring is a software framework for building Java applications, including web applications on the Java EE (Enterprise Edition) platform.
“In some configurations, exploiting this issue is straightforward, as an attacker only needs to send a specially crafted HTTP request to a vulnerable system,” said researchers Anthony Weems and Dallas Kaman. “However, exploiting different configurations will require the attacker to do additional research to find payloads that will be effective.”
Additional details of the fault, dubbed “SpringShell” and “Spring4Shell“, have been withheld to prevent exploit attempts and until a patch is put in place by framework maintainers, Spring.io, a VMware subsidiary. It has also not yet received any CVE (Common Vulnerabilities and Exposures) identifier.
It should be noted that the flaw targeted by the zero-day exploit is different from the two previous vulnerabilities disclosed as part of the application this week, including the Spring Framework Expression DoS Vulnerability (CVE-2022-22950) and Spring Cloud Expression Resource Access Vulnerability (CVE-2022-22963).
In the meantime, Praetorian researchers recommend “creating a ControllerAdvice component (which is a Spring component shared between controllers) and adding unsafe models to the deny list”.
Initial analysis of the new code execution flaw in Spring Core suggests that its impact may not be severe. “[C]Current information suggests that to exploit the vulnerability, attackers will need to locate and identify instances of web applications that are actually using DeserializationUtils, which developers already know to be dangerous,” Flashpoint said in an independent analysis.
Despite the public availability of PoC exploits, “it is currently unclear which real-world applications are using the vulnerable functionality,” Rapid7 explained. “JRE configuration and version can also be important factors in exploitability and likelihood of widespread exploitation.”
The Retail and Hospitality Information Sharing and Analysis Center (ISAC) also released a statement indicating that it has investigated and confirmed the “validity” of the PoC for the RCE flaw, adding that it is “continuing testing to confirm the validity of the PoC “.
“The Spring4Shell in-the-wild exploit appears to work against spring.io’s ‘Handling Form Submission’ stock sample code”, CERT/CC vulnerability analyst Will Dormann mentioned in a tweet. “If the example code is vulnerable, then I suspect that there are indeed real-world applications that are vulnerable to RCE.”