A zero-day remote code execution (RCE) vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept (PoC) exploit on GitHub before deleting their account.
According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit (JDK) versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.
Spring is a software framework for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.
According to researchers Anthony Weems and Dallas Kaman, “exploitation of this issue is trivial in some configurations, as it only takes an attacker to send a forged HTTP request to a vulnerable system.” “However, exploitation of various setups will necessitate more research by the attacker in order to develop payloads that will be effective.”
To prevent exploitation attempts and until a fix is in place by the framework’s maintainers, Spring.io, a subsidiary of VMware, more specifics of the issue, codenamed “SpringShell” and “Spring4Shell,” have been kept. It has yet to get a CVE (Common Vulnerabilities and Exposures) identifier.
It’s worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the application framework this week, including the Spring Framework expression DoS vulnerability (CVE-2022-22950) and the Spring Cloud expression resource access vulnerability (CVE-2022-22963).
In the interim, the company is recommending “creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.”
Initial analysis of the new code execution flaw in Spring Core suggests that its impact may not be severe. “[C]urrent information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous,” Flashpoint said in an independent analysis.
“It’s presently unclear which real-world applications employ the vulnerable functionality,” Rapid7 noted, despite the public availability of PoC vulnerabilities. “Exploitability and the possibility of broad exploitation may also be influenced by configuration and JRE version.”
The Retail and Hospitality Information Sharing and Analysis Center (ISAC) said it analysed and confirmed the “correctness” of the proof-of-concept for the RCE bug, and that it is “continuing tests to establish the validity of the PoC.”
In a tweet, CERT/CC vulnerability analyst Will Dormann wrote, “The Spring4Shell exploit in the wild appears to work against the stock ‘Handling Form Submission’ example code from spring.io.” “If the example code is vulnerable, I’m confident there are real-world programmes that are vulnerable to RCE.”