A vulnerability in the popular Spring framework for developing web applications in Java potentially puts many web applications at risk of remote cyber attacks.
The vulnerability, dubbed Spring4Shell and SpringShell, has caused a huge stir among information security experts over the past 24 hours. In particular, security researchers have been trying to figure out whether the problem is new, or stems from an older vulnerability.
According to experts from Praetorian and Flashpoint, the vulnerability is new, and it can be exploited remotely if the Spring application is deployed on an Apache Tomcat server with a common configuration. To exploit the vulnerability, an attacker needs to establish the location and identify the installations of a web application using DeserializationUtils. The vulnerability does not affect Spring applications using Spring Boot and embedded Tomcat.
For Spring4Shell (the CVE identifier has not yet been assigned to it), a wide update will probably be required to guarantee the safety of installations, explained Praetorian Senior technical director Richard Ford.
According to Ford, exploiting the vulnerability is very simple, and users will need to install updates that Spring is already working on as soon as possible. According to Flashpoint experts, there is no discussion of vulnerability in the cybercrime community yet.
Information security experts first learned about the vulnerability when one of the Chinese researchers posted a tweet with a screenshot of the PoC attack. However, the tweet was soon deleted, apparently because in China, publishing information about vulnerabilities without government permission is a crime. On VX-Underground, information about Spring4Shell appeared in the middle of the day on March 30.
Having gained access to the screenshots, the information security experts were able to reverse engineer the exploit and reproduce the attack in just a few hours.