A zero-day remote code execution (RCE) vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept (PoC) exploit on GitHub before deleting their account.
According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit (JDK) versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.
Spring is a software framework for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.
“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” researchers Anthony Weems and Dallas Kaman said. However, attackers must do more research in order to discover payloads that are effective for exploitation of other configurations. “
Additional details of the flaw, dubbed “SpringShell” and “Spring4Shell,” have been withheld to prevent exploitation attempts and until a fix is in place by the framework’s maintainers, Spring.io, a subsidiary of VMware. It’s also yet to be assigned a Common Vulnerabilities and Exposures (CVE) identifier.
It’s worth noting that the flaw targeted by the zero-day exploit is different from two previous vulnerabilities disclosed in the application framework this week, including the Spring Framework expression DoS vulnerability (CVE-2022-22950) and the Spring Cloud expression resource access vulnerability (CVE-2022-22963).
In the interim, the company is recommending “creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist. “
An initial analysis of Spring Core’s new code execution flaw suggests it may have a limited impact. “[C]urrent information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous,” Flashpoint said in an independent analysis.
Despite the public availability of PoC exploits, “it’s currently unclear which real-world applications use the vulnerable functionality,” Rapid7 explained. “Configuration and JRE version may also be significant factors in exploitability and the likelihood of widespread exploitation. “
The Retail and Hospitality Information Sharing and Analysis Center (ISAC) also issued a statement that it has investigated and confirmed the “validity” of the PoC for the RCE flaw, adding it’s “continuing tests to confirm the validity of the PoC. “
“The Spring4Shell exploit in the wild appears to work against the stock ‘Handling Form Submission’ sample code from spring.io,” CERT/CC vulnerability analyst Will Dormann said in a tweet. If the code in question is compromised, I believe there may be real-world applications that could expose themselves to RCE. “