There’s a new vulnerability making headlines called Spring4Shell, and it can allow attackers to perform remote code executions (RCE). The vulnerability was discovered in the Spring framework, widely used for developing JAVA applications. Details on the vulnerability are documented in CVE-2022-22965. It bears mentioning that other vulnerabilities related to the Spring framework have been recently reported, but this article focuses specifically on Spring4Shell.
While the vulnerability is rated a 9.8 (critical) by the National Vulnerability Database, there is some good news. Unlike the other recent “4shell” vulnerability, Log4Shell, the cyber risks posed by Spring4Shell appear considerably less dire. This is due to the multiple conditions that must exist for an attacker to successfully exploit the flaw.
For the Spring4Shell vulnerability to be successfully exploited, applications must:
- Run on Java Development Kit (JDK) version 9 or later
- Use Apache® Tomcat® as a servlet container
- Be deployed as a web application resource (WAR) file
- Include Spring WebMVC or Spring WebFlux as dependencies
If these conditions do not apply to an application, it should be safe from exploitation based upon our current understanding. Of course, this may change as researchers and threat actors explore Spring4Shell and gain more insights into its inner workings.
Companies wondering if Spring4Shell affects them can perform a software inventory or network scan to discover where vulnerable apps exist in their environment. Upgrading to Spring 5.3.18 or higher is also recommended, as this and later versions are not affected by Spring4Shell.
BlackBerry customers using CylancePROTECT® and CylanceOPTICS® remain protected from malware attacks delivered through Spring4Shell exploitation. For professional assistance with the Spring4Shell vulnerability, contact BlackBerry Incident Response services, or speak to one of our representatives at +1-888-808-3119.