Otto background

UPDATED: Vulnerabilities Confirmed in Spring Core and Spring Cloud

March 31 Update - Spring4Shell CVE Published

UPDATE (3/31/22): Early Thursday morning, March 31, CVE-2022-22965 was assigned and published for the critical remote code execution vulnerability in Spring Framework dubbed “Spring4Shell.”

A patch was also released by Spring – so upgrade to Spring Framework 5.3.18 or 5.2.20 as soon as possible to remediate CVE-2022-22965. Additional details on the patch and workarounds for those unable to patch immediately can be found on the Spring Blog post.

A Tale of Two RCEs

Throughout most of the day on Wednesday, March 30, the IT and security community swirled with rumors and confusion around potential vulnerabilities in Spring Cloud and Core, a widely-used open source framework used primarily for building distributed applications in an enterprise.

As of now, there are two confirmed vulnerabilities. One is a remote code execution (RCE) vulnerability in Spring Core dubbed “Spring4Shell” while the other is an RCE vulnerability in Spring Cloud, CVE-2022-22963. Spring4Shell has yet to be assigned a CVE ID as it was only recently confirmed by Praetorian, adding to the confusion and misidentification of CVE-2022-22963 as “Spring4Shell.”

Spring Cloud RCE

CVE-2022-22963 was the first to hit the news. This vulnerability is a medium severity flaw that allows for resource access when exploited. Spring Cloud Function versions <=3.1.6 and <=3.2.2 are vulnerable, though patches have been released in 3.1.7 and 3.2.3 to remediate.

Initially, many outlets reported this as a remote code execution (RCE) vulnerability, adding to the confusion when another RCE was thought to be discovered. That RCE has since been confirmed by Praetorian.

Spring4Shell Spring Core RCE

The second vulnerability, now dubbed “Spring4Shell” was only recently confirmed after rumors circulated today and yesterday that a POC had been posted on Twitter. Spring Core on Java Development Kit (JDK)9+ is vulnerable to unauthenticated remote code execution.

Currently, no patches have been released, though Praetorian has released temporary mitigation steps. Depending on the configuration of your system, exploitation ranges from simple to more complex. We recommend reviewing and applying the mitigation posted by Praetorian if possible, and patching your systems as soon as a patch is released. This is likely to be scanned for by threat actors due to the wide adoption of Spring Core.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic