A new zero-day attack has been identified in the Spring Framework. Called “Spring4Shell,” the attack allows unauthenticated remote code execution (RCE) on applications.
Spring Framework experienced a zero-day attack (a zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix). Tracked as CVE-2022-22965, the vulnerability has wide implications among real-world applications.
This is a big deal because Spring Core is a popular Java web application framework that allows software developers to easily build Java applications with enterprise-level features. This attack could put a wide array of web applications at risk of remote attack
From what Spring has shared, the vulnerability affects those with the following prerequisites:
Unlike the Log4Shell vulnerability identified in December 2021, Spring4Shell requires that attackers know the address, including the application’s endpoint, to exploit the vulnerability. In Log4Shell, threat actors could exploit systems that were not connected to the internet. Therefore, Spring4Shell is not as severe a threat.
Nuspire does not use the Spring Framework or associated vulnerable components internally.
Nuspire recommends you take the following actions: