MegaplanIT

MegaplanIT

Security & Compliance

Spring4Shell Update - April 2022

Just in case ProxyShell, ProxyLogon, Log4Shell, and Chrome 0Days just weren’t exciting enough, we now have Spring4Shell. Java is the gift that keeps on giving.

Spring4Shell is a Remote Code Execution (RCE) vulnerability that is currently being exploited in the wild. The RCE is found in the Spring Framework which is an open-source framework used in Java applications (typically enterprise apps). Spring4Shell is rated a CVSS 9.8 due to the wide use of the framework and severity of the vulnerability.

Here is the good news, Spring4Shell does not appear to be as prevalent as Log4Shell as there are a few non-default dependencies that need to exist for exploitation. Couple that with the fact that the exploit code is not a simple one-liner, and we can all take a collective to exhale.

 

Most vulnerable configurations were set up with the following dependencies:

  • Apache Tomcat (with WAR file deployed)
  • Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
  • Spring-webmvc/Spring-webflux

Most vulnerable configurations were set up with the following dependencies:

  • Apache Tomcat as the Servlet container – Tomcat provides a pure Java HTTP web server environment in which Java code can run.
  • Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
  • Spring-webmvc/Spring-webflux
  • Packaged using the WAR (Web Application Resource) file format (as opposed to using JAR, the default format)

Spring has released patches with details available here. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcementWe recommend upgrading Spring Framework past 5.2.20 and 5.3.18 and upgrading Spring Boot past versions 2.6.6 and 2.5.12

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business