Spring4Shell: Detect and mitigate new zero-day vulnerabilities in the Java Spring Framework

Userlevel 7
Badge +9

Hello to share a new vulnerability

SpringShell attacks target about one in six vulnerable orgs (bleepingcomputer.com)

(1) New Messages! (checkpoint.com)

Spring4Shell: Detect and mitigate vulnerabilities in Java Spring | Dynatrace | Dynatrace news

What is Spring4Shell?

Spring4Shell is a critical vulnerability in the Spring Framework, an open source platform for Java-based application development. Because 60% of developers use Spring for their main Java applications, many applications are potentially affected.

Spring is popular because it enables software engineers to more easily write and test code to maintain modular applications. Other libraries enable developers to become less dependent on enterprise web servers and, therefore, reduce configuration complexity and cost.

Spring4Shell is one of three vulnerabilities published on March 30:

  1. Spring Core RCE (critical): CVE-2022-22965 a.k.a. Spring4Shell or SpringShell
    Affected library: org.springframework:spring-bean
  2. Information exposure in Spring Cloud Function: CVE-2022-22963
    Affected library: org.springframework.cloud:spring-cloud-function-context
  3. Denial of service in Spring Expressions: CVE-2022-22950
    Affected library: org.springframework:spring-expression

Like Log4Shell, a vulnerability discovered in December 2021, the Spring4Shell vulnerability challenges organizations to identify and remediate application vulnerabilities in production—before malicious attackers can compromise sensitive data, such as customer or employee data.



Userlevel 7
Badge +14

Again a very critical issue. Is there a list avaliable with affected software products? Everything I've checked so far isn't affected; like with VMware only Tanzu needs patching.

Userlevel 7
Badge +21

Thanks for sharing will look in to this one. 👍