A new vulnerability was found in the Spring Java framework this week, which allows attackers to execute remote code on the target systems. The vulnerability was found by security researchers. However, its details were leaked to the public before Spring’s fix for it, effectively making the vulnerability a zero-day flaw. Now, Spring has released a patch and advisory for the issue.
It has a CVE now
The details of the vulnerability were leaked through the Chinese communication platform, QQ
The vulnerability in the Spring Java framework, Spring4Shell, can now be tracked as CVE-2022-22965. It affects Spring MVC and Spring WebFlux applications on Java Development Kit 9. Spring4Shell flaw has some additional requirements for exploitation as well, such as Apache Tomcat, spring-webmvc/spring-webflux dependencies, and an application packaged as WAR. Currently, exploiting the flaw with a default configuration is not possible.
Spring has managed to deliver patches for the Spring4Shell vulnerability on the following day. The following versions of the applications are safe:
- Spring Framework 5.3.18 and 5.2.20
- Spring Boot 2.5.12 and 2.6.6
Developers should update their software as quickly as possible to avoid possible security threats. It is also advised to be careful while using sample codes since even some of the samples from Spring.io itself have some vulnerable codes.