We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more about Transform 2022
Patches are now available for the Spring4Shell vulnerability and security teams continue to investigate whether the remote code execution flaw (RCE) could affect applications. But at the time of writing, there is still little evidence of widespread risk from the recently revealed Spring Core vulnerability.
According to security professionals, including Chris Partridge, who has collected details about the Spring4Shell vulnerability on GitHub, organizations are encouraged to assess the situation for themselves to determine their own level of risk exposure.
But “so far no one has found evidence that this is widespread,” Partridge said on the GitHub page. “This is certainly a serious vulnerability, but it only affects non-standard use of Spring Core with no proven widespread viability. It’s definitely not log4shell-like.”
In a message to VentureBeat, Partridge said “It’s great that Spring is taking this solution seriously. Hopefully no bypasses are found.”
Spring is a popular framework used in Java web application development.
Patches available
On Thursday, Spring published a blog post detailing patches and exploit requirements for Spring4Shell. The RCE vulnerability, tracked on CVE-2022-22965, affects JDK 9 or later and has several additional requirements in order for it to be exploited, according to the Spring blog post.
Among other things, the blog post confirms that the Spring4Shell vulnerability is not Log4Shell 2.0, said Ian McShane, vice president of strategy at Arctic Wolf.
“It’s an RCE, so it’s a high-priority risk. But the fact that it needs a non-standard implementation should limit its scope, especially when compared to Log4shell,” McShane said in an email.
The Apache Log4j logging software — which was affected by the Log4Shell vulnerability revealed in December — was embedded in numerous applications and services and was vulnerable by default, he noted.
Spring4Shell, on the other hand, “doesn’t seem like a comparable risk. But that doesn’t mean organizations can ignore it,” McShane said. “As with all application vulnerabilities, especially those that are designed to be web-oriented, you need to find out if you’re at risk before disregarding it.”
With the information now available, it’s clear that Spring4Shell — despite its similar name to Log4Shell — “is certainly not that big,” said Satnam Narang, a staff research engineer at Tenable.
“That said, we’re still in the early stages of figuring out which applications are vulnerable, and we’re basing this on what’s known,” Narang said in an email. “There are still some questions about whether there are other ways to exploit this flaw.”
More accurate picture
But if anything, Spring’s blog post only narrows the reach of vulnerable cases, said Mike Parkin, senior technical engineer at Vulcan Cyber.
And by clarifying the exploitable terms, the update gives the security community a more accurate picture of potential risks, Parkin said.
“However, attackers can find creative ways to exploit this vulnerability beyond the identified target range,” he said in an email. At the moment, however, there are no reports of the vulnerability being exploited in the wild, Parkin noted.
John Bambenek, principal threat hunter at Netenrich, agreed that the vulnerability appears to affect fewer machines than Log4Shell.
There are some specific environments that Spring4Shell can apply to, “but in the more dangerous case of embedded or vendor-supplied machines, this vulnerability is less likely to be seen,” Bambenek said.
Need more info
In an update to their blog post on the RCE vulnerability, Flashpoint and its Risk Based Security unit said that because Spring Core is a library, “the exploit methodology is likely to change from user to user.”
“More information is needed to assess how many devices are running on the necessary configurations,” says the updated Flashpoint blog post.
Colin Cowie, a threat analyst at Sophos, and vulnerability analyst Will Dormann posted separate confirmations Wednesday that they managed to secure an exploit for the Spring4Shell vulnerability to work against sample code provided by Spring.
“If the sample code is vulnerable, I suspect that there are indeed real-world apps that are vulnerable to RCE,” Dormann said in a statement. tweet†
At the time of writing, however, it is not yet clear which specific applications may be vulnerable.
The bottom line is that Spring4Shell is “definitely a cause for concern — but appears to be a lot harder to successfully exploit than Log4j,” Casey Ellis, founder and CTO at Bugcrowd, said in an email.
Regardless, given the large volume of research and discussion surrounding Sping4Shell, defenders would do well to mitigate — and/or patch — as soon as possible, Ellis said.
It’s also likely that new flavors of this vulnerability could emerge in the near future, said Yaniv Balmas, vice president of research at Salt Security. “These could affect other web servers and platforms and increase the reach and potential impact of this vulnerability,” Balmas said in an email.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.
This post Do not ignore Spring4Shell. But there is still no sign that it is widespread
was original published at “https://venturebeat.com/2022/03/31/dont-ignore-spring4shell-but-theres-still-no-sign-its-widespread/”