Spring4Shell Update – April 2022

Just in case ProxyShell, ProxyLogon, Log4Shell, and Chrome 0Days just weren’t exciting enough, we now have Spring4Shell. Java is the gift that keeps on giving.

Spring4Shell is a Remote Code Execution (RCE) vulnerability that is currently being exploited in the wild. The RCE is found in the Spring Framework which is an open-source framework used in Java applications (typically enterprise apps). Spring4Shell is rated a CVSS 9.8 due to the wide use of the framework and severity of the vulnerability.

Here is the good news, Spring4Shell does not appear to be as prevalent as Log4Shell as there are a few non-default dependencies that need to exist for exploitation. Couple that with the fact that the exploit code is not a simple one-liner, and we can all take a collective to exhale.

Most vulnerable configurations were set up with the following dependencies:

• Apache Tomcat (with WAR file deployed)
• Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
• Spring-webmvc/Spring-webflux

Most vulnerable configurations were set up with the following dependencies:

• Apache Tomcat as the Servlet container – Tomcat provides a pure Java HTTP web server environment in which Java code can run.
• Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
• Spring-webmvc/Spring-webflux
• Packaged using the WAR (Web Application Resource) file format (as opposed to using JAR, the default format)

Spring has released patches with details available here. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. We recommend upgrading Spring Framework past 5.2.20 and 5.3.18 and upgrading Spring Boot past versions 2.6.6 and 2.5.12