We’re excited to bring Transform 2022 back in person on July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful conversations and exciting networking opportunities. Learn more about Transform 2022
More answers are emerging about the potential risks associated with a newly revealed remote code execution (RCE) vulnerability in Spring Core known as Spring4Shell — with new evidence pointing to a potential impact on real-world applications.
While researchers have noted that comparisons between Spring4Shell and the critical Log4Shell vulnerability are likely exaggerated, analysts Colin Cowie and Will Dormann separately posted confirmations on Wednesday showing that they managed to get hold of an exploit for the Spring4Shell vulnerability to work against sample code provided by Spring.
“If the sample code is vulnerable, I suspect that there are indeed real-world apps that are vulnerable to RCE,” Dormann said in a statement. tweet†
At the time of writing, however, it is not yet clear how big the impact of the vulnerability could be, or which specific applications are vulnerable.
That alone seems to indicate that Spring4Shell’s risk is not comparable to that of Log4Shell, a very serious RCE vulnerability that was revealed in December. The vulnerability affected the widely used Apache Log4j log library and is believed to affect most organizations.
Still to be determined about Spring4Shell, Dormann said on Twitter, the question is “which actual real-world applications are vulnerable to this problem?”
“Or is it likely that it mainly affects only custom software that Spring uses and meets the list of requirements to be vulnerable,” he said in a statement. tweet†
Spring is a popular framework used in Java web application development.
Vulnerability Details
Researchers from several cybersecurity firms analyzed and published details about the Spring4Shell vulnerability, which was disclosed on Tuesday. At the time of writing, there are currently no patches available.
Praetorian security engineers said on Wednesday that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. The RCE vulnerability stems from a bypass of CVE-2010-1622, the Praetorian engineers said.
The Praetorian engineers said they have developed a working exploit for the RCE vulnerability. “We have disclosed the full details of our exploit to the Spring security team and are waiting to publish more information until a patch is installed,” they said in a blog post.
(Importantly, the Spring4Shell vulnerability is different from the Spring Cloud vulnerability tracked to CVE-2022-22963, which, confusingly, was revealed around the same time as Spring4Shell.)
The bottom line with Spring4Shell is that while it shouldn’t be ignored, “this vulnerability is NOT as bad” as the Log4Shell vulnerability, cybersecurity firm LunaSec said in a blog post.
All attack scenarios with Spring4Shell, LunaSec said, “are more complex and have more mitigating factors than Log4Shell did.”
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.
This post Spring4Shell Vulnerability Likely Affects Real Apps, Analyst Says
was original published at “https://venturebeat.com/2022/03/30/spring4shell-vulnerability-likely-to-affect-real-world-apps-analyst-says/”