Thursday, Mar 31, 2022
BY: Team Nuspire
A new zero-day attack has been identified in the Spring Framework. Called “Spring4Shell,” the attack allows unauthenticated remote code execution (RCE) on applications.
Spring Framework experienced a zero-day attack (a zero-day attack is when a threat actor exploits a vulnerability before software developers can find a fix). Tracked as CVE-2022-22965, the vulnerability has wide implications among real-world applications.
Why is this significant?
This is a big deal because Spring Core is a popular Java web application framework that allows software developers to easily build Java applications with enterprise-level features. This attack could put a wide array of web applications at risk of remote attack
How do I know if I’m vulnerable?
From what Spring has shared, the vulnerability affects those with the following prerequisites:
- Java Development Kit (JDK) 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a WAR
- Spring-webmvc or spring-webflux dependency
Is this similar to Log4Shell?
Unlike the Log4Shell vulnerability identified in December 2021, Spring4Shell requires that attackers know the address, including the application’s endpoint, to exploit the vulnerability. In Log4Shell, threat actors could exploit systems that were not connected to the internet. Therefore, Spring4Shell is not as severe a threat.
Is Nuspire affected?
Nuspire does not use the Spring Framework or associated vulnerable components internally.
What should I do?
Nuspire recommends you take the following actions: