We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn more about Transform 2022
A newly disclosed remote code execution vulnerability in Spring Core, a widely used Java framework, does not appear to represent a Log4Shell-level threat.
Security researchers at several organizations have now analyzed the vulnerability, which was disclosed on Tuesday. Several media reports have claimed the bug could be the “next Log4Shell” — akin to the RCE bug in Apache Log4j that was disclosed in December and impacted countless organizations.
However, initial analysis suggests the newly disclosed RCE in Spring Core, dubbed “SpringShell” or “Spring4Shell” in some reports, has significant differences from Log4Shell — and most likely is not as severe.
“Although some may compare SpringShell to Log4Shell, it is not similar at a deeper level,” analysts at cyber firm Flashpoint and its Risk Based Security unit said in a blog post.
The analysts reported that they’ve verified that a published proof-of-concept for the vulnerability is “functional,” which they said validates the vulnerability.
However, while the vulnerability does currently appear to be legitimate, “its impact may not be as severe as initially rumored,” Flashpoint said in a tweet.
Security professional Chris Partridge, who compiled information on the vulnerability on GitHub, wrote that “this does not instinctively seem like it’s going to be a cataclysmic event such as Log4Shell.”
“This vulnerability appears to require some probing to get working depending on the target environment,” Partridge said.
As a result, researchers suggest that while it’s technically possible for the vulnerability to be exploited, the key question is how many real-world applications are actually impacted by it. (BleepingComputer has reported hearing from multiple sources that the vulnerability is being “actively exploited” by attackers.)
The Log4Shell vulnerability, on the other hand, was believed to have impacted the majority of organizations, due to the pervasiveness of the Log4j logging software. The fact that Log4j is often leveraged indirectly via Java frameworks has also made the issue difficult to fully address for many organizations.
No patches yet
In terms of the new Spring Core vulnerability, security engineers at Praetorian said that the vulnerability affects Spring Core on JDK (Java Development Kit) 9 and above. The RCE vulnerability stems from a bypass of CVE-2010-1622, the Praetorian engineers said.
Spring Framework is a popular framework used in the development of Java web applications. At the time of this writing, patches are not currently available.
(The “SpringShell” vulnerability is not the same as the newly disclosed Spring Cloud vulnerability that is tracked at CVE-2022-22963.)
The Praetorian engineers said they have developed a working exploit for the RCE vulnerability. “We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place,” they said in a blog post.