Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A critical remote code execution (RCE) vulnerability was identified March 30th, 2022 for the Spring Framework. Spring core, used by millions of systems to develop Java web applications quickly, is one of the Java world’s most popular open source Java frameworks. The RCE vulnerability, if successfully exploited could potentially allow an attacker to take control of a vulnerable system.

A new vulnerability was found in the Spring Core module of the Spring Framework. This was discovered by a Chinese security researcher, posting a Proof-of-Concept (POC) on GitHub (Figure 1), which later was deleted. This vulnerability is a zero-day, which currently wasn’t assigned a CVE, and was dubbed by security researchers as “Spring4Shell” or “SpringShell”, after the recent vulnerability in the Log4j Java package, discovered last December, and made waves worldwide.

Overview The internet is abuzz with the disclosure of CVE-2022-22965, an RCE vulnerability in Spring, one of the most popular open-source frameworks for Java applications in use today. Known as “Spring4Shell” or “SpringShell”, the zero-day vulnerability has triggered widespread concern about the possibility of a wave of malicious attacks targeting vulnerable applications. Is this Log4j 2.0?

Trustwave security and engineering teams are actively investigating the vulnerabilities CVE-2022-22965 (also referenced by other vendors at Spring4Shell / SpringShell) and CVE-2022-22963 and potential exploits. We are diligently watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. At this time, Trustwave infrastructure and products have not been adversely affected by the vulnerability / exploits.

Editor’s note: Latest update, April 6, 2022, 7:30 p.m. U.S. EDT — This post now includes an example query to aid SOC teams in generating alerts for their specific WAF data sources. See the section “Create New Web Application Firewall (WAF) Rules” for details. A critical zero-day vulnerability in Java’s popular Spring Core Framework is being actively targeted, according to multiple reports submitted to Bleeping Computer.

After the Spring cloud vulnerability reported yesterday, a new vulnerability called Spring4shell CVE-2022-22965 was reported this time on the very popular Java framework Spring Core on JDK9+. The vulnerability is always a remote code execution (RCE) which would permit attackers to execute arbitrary code on the machine and compromise the entire host.

Details of a zero-day vulnerability in Spring Framework were leaked on March 29, 2022 but promptly taken down by the original source. Although much of the initial speculation about the nature of the vulnerability was incorrect, we now know that the vulnerability has the potential to be quite serious depending on your organization’s use of Spring Framework. There is also a dedicated CVE 2022-22965 assigned to this vulnerability. We will keep this blog updated as new information comes up.