A newly-discovered zero-day vulnerability known as Spring4Shell could have “a larger impact” than Log4j.
Log4j made waves in recent months as the vulnerability in the popular open-source logging library enabled attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
However, attention is now shifting to the Spring4Shell exploit.
Spring4Shell is a zero-day remote code execution (RCE) vulnerability in the Spring framework that was discovered after a Chinese security researcher leaked a proof-of-concept (PoC) exploit on GitHub.
“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” explained Praetorian security researchers Anthony Weems and Dallas Kaman.
“However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.”
Additional details are being withheld by responsible security researchers to limit the potential damage until the Spring framework is patched.
In the meantime, Praetorian recommends “creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.”
Researchers are currently split on how severe the real-world impact could be.
“Current information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous,” said Flashpoint in its analysis.
Other researchers are more concerned.
“The Contrast Security Labs team has confirmed a critical zero-day vulnerability named Spring4Shell, affecting the spring-core artifact which is a popular framework used widely in 74 percent of Java applications,” said David Lindner, CISO at Contrast Security.
“The Contrast Labs team has proven the exploit due to how a Spring application handles binding, and we believe it could have a larger impact than Log4j. Our team is continuing to explore this vulnerability.
“We recommend Java developers to specifically set the allowed fields property or properly set the disallowed fields for the known malicious attack patterns within the DataBinder class.”
Rather than await further analysis, it’s better to be proactive to ensure your apps and services are protected from the Spring4Shell vulnerability.
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.