New Spring Framework RCE Vulnerability Confirmed - What to do?

Image of a spring

Early Wednesday morning UTC, allegations began to appear on the internet about a new remote code execution flaw that affects Spring Core. This vulnerability, dubbed by some as "Springshell"  in the community, is a new, previously unknown security vulnerability. 

Exclamation Circle icon  NOTE: A separate Spring vulnerability CVE-2021-22963 (High) disclosed a few days ago impacts Spring Cloud Function. This is a Spring Expression language SpEL vulnerability in Spring Cloud Function and is NOT related to "Springshell" that impacts Spring Core. Some Twitter posts continue to incorrectly mix the two vulnerabilities.

What is it?

Wednesday the vulnerability was confirmed by Praetorian security researchers, and is in our system with the ID, SONATYPE-2022-1764. We are still investigating other avenues of attack but out of an abundance of caution and media attention are releasing this now.

It affects the spring-core artifact, an extremely popular framework used widely in java, and seems to require JDK9 or newer to be running.  It is a bypass for an older CVE, CVE-2010-1622 that due to a feature in JDK9 or newer seems to have been reinstated. This was confirmed by Praetorian.

This type of vulnerability relies on the software deserializing code, which is at the root of the problem. Older versions of Spring allow for Java Reflection, which is the reason why many Remote Code Execution (RCE) flaws have historically been observed. This means an attacker can poison a payload aimed at a Spring application and gain full control of the system.

This vulnerability affects any application that uses Spring Framework - Spring is one of the most popular frameworks in Java, comparable in scale to Struts, and the vulnerability can be exploited on any JDK8 or older.

As with historical RCE attacks, it usually is a matter of hours before the vulnerability gets exploited in the wild. We highly encourage all customers to upgrade (instructions to be announced) immediately or place mitigations to avoid the attack. For example, Log4shell drew in opportunistic attackers who began quickly exploiting the vulnerability as soon as a PoC surfaced.

How did we get here?

Concerns surfaced in a series of distributed blogs and Twitter screenshots, alleging "Springshell was shown below:

Article Link: New Spring Framework RCE  Vulnerability Confirmed - What to do?