The recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, known as Spring4Shell, has been added to CISA’s Known Exploited Vulnerabilities Catalog.
It’s among four flaws that have been added to the catalog of exploited vulnerabilities by the federal Cybersecurity and Infrastructure Security Agency (CISA) as of today. CISA set the deadline for federal agencies to update affected software at April 25.
Details on the vulnerability that came to be known as Spring4Shell leaked last Tuesday, and the open source vulnerability was acknowledged by VMware-owned Spring on Thursday. Spring is a popular framework in the development of Java applications.
The RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and has several additional requirements for it to be exploited, including that the application runs on Apache Tomcat, Spring said in its blog post Thursday. The vulnerability has received a CVSSv3 severity rating of 9.8, making it a “critical” flaw.
The addition of CVE-2022-22965 and the other vulnerabilities to the CISA catalog is “based on evidence of active exploitation,” CISA says on its disclosure page.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA says.
On Saturday, VMware disclosed that three products within its Tanzu application platform are impacted by Spring4Shell. The company said in an advisory that the affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,” VMware said in the advisory.
Patches are now available for Tanzu Application Service for VMs (versions 2.11 and above), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and above), according to the advisory.
As of this writing, VMware’s advisory says patches are still pending for affected versions of TKGI, which are versions 1.11 and above.
Still, even with the addition to the CISA catalog and disclosure of some affected products, the discovery of real-world applications that are exploitable using Spring4Shell has been considerably more difficult than it was with Log4Shell, the RCE vulnerability in Apache Log4j that was disclosed in December.
At the same time, Spring4Shell is considered a “general” vulnerability — with a potential for additional exploits — meaning that the best advice is that all Spring users should patch if possible, experts have told VentureBeat.
But even with the worst-case scenario for Spring4Shell, it is highly unlikely to become as large of an issue as Log4Shell, experts have said.
While the wide use of Spring Framework suggests “a lot of potentially affected deployments … the reality however is that due to the mitigating circumstances, only a small percentage of deployments are truly vulnerable to the issue,” said Ilkka Turunen, field CTO at Sonatype, in a blog post Monday. “That said, with any big project, there is a ton of legacy out there that can result in older and unmaintained systems becoming potential entry points.”