Both security bugs are now reportedly being exploited in the wild
Spring users are facing a new, zero-day vulnerability which was discovered in the same week as an earlier critical bug.
A second RCE bug, dubbed “Spring4Shell/Springshell”, has now also been discovered in Spring Framework’s Java-based Core module.
A Chinese-speaking developer posted exploit code for a zero-day vulnerability in Spring Framework (not to be confused with Spring Cloud Function). While the exploit code's commit has been deleted, this action may have come too late.
The cybersecurity researchers say that the code, once translated, appeared to show how unauthenticated attackers could trigger RCE on target systems.
Rapid7, alongside others and now Spring.io itself, has confirmed the existence of the zero-day vulnerability.
While potentially severe, certain conditions must be met for an app to be exploitable.
During tests of Spring Framework versions 4.3.0 to 5.3.15, Rapid7 found that the bug appears to stem from functions using @RequestMapping annotation and POJO parameters. Attackers can exploit the flaw to drop a payload and execute commands.
However, the vulnerability, so far, appears to be limited to Tomcat server builds – but this may change as the situation develops. Multiple cybersecurity firms, including LunaSec, say users running Java Development Kit (JDK) version 9 and newer are potentially vulnerable to attack.
“The Java version does appear to matter,” Rapid7 added. “Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality.”
LunaSec is running a Twitter thread with technical updates.
Emergency patch incoming
A CVE is yet to be assigned, however Spring has acknowledged the report and announced the deployment of an emergency patch on Thursday in Spring Framework versions 5.3.18 and 5.2.20 via Maven Central.
“The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+,“ the developers say. “The specific exploit requires the application to be packaged as a WAR and deployed to Apache Tomcat.
“This does mean the exploit does not work for Spring Boot with embedded Tomcat. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
The release for Spring Boot is in progress and is expected to land today.
If the patch cannot be applied, Praetorian recommends temporary mitigation by creating a new Spring component, ControllerAdvice, which adds particular patterns to a denylist. Instructions can be found in the company’s blog post.
“The new critical vulnerability, dubbed ‘Springshell’ by the open source community, has not yet been proven to be quite as dangerous as the widely known Log4j vulnerability,” commented Ilkka Turunen, field CTO at Sonatype.
“However, the massive popularity of Spring and the low skill level needed to execute this type of attack has rightly raised alarms across the industry.”