Spring4Shell Zero-Day Attack: What You Need to Know

A new zero-day attack has been identified in the Spring Framework. Called “Spring4Shell,” the attack allows unauthenticated remote code execution (RCE) on applications.

What happened?

Spring Framework experienced a zero-day attack (a zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix). Tracked as CVE-2022-22965, the vulnerability has wide implications among real-world applications.

Why is this significant?

This is a big deal because Spring Core is a popular Java web application framework that allows software developers to easily build Java applications with enterprise-level features. This attack could put a wide array of web applications at risk of remote attack

How do I know if I’m vulnerable?

From what Spring has shared, the vulnerability affects those with the following prerequisites:

  • Java Development Kit (JDK) 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a WAR
  • Spring-webmvc or spring-webflux dependency

Is this similar to Log4Shell?

Unlike the Log4Shell vulnerability identified in December 2021, Spring4Shell requires that attackers know the address, including the application’s endpoint, to exploit the vulnerability. In Log4Shell, threat actors could exploit systems that were not connected to the internet. Therefore, Spring4Shell is not as severe a threat.

Is Nuspire affected?

Nuspire does not use the Spring Framework or associated vulnerable components internally.

What should I do?

Nuspire recommends you take the following actions:

  • All users should apply the most recent updates addressed in Spring Framework 5.3.18 and 5.2.20.
  • If you are unsure if Spring Framework exists in your environment, you can use this scanner to identify vulnerable versions.

Have you registered for our next event?