SpringShell, also known as Spring4Shell, is a vulnerability in the Spring Framework, a widely used open-source framework for building enterprise Java applications.
One reason the vulnerability is considered severe is that it allows unauthenticated remote code execution – in other words, by exploiting this vulnerability, an attacker could run commands on a compromised server without needing credentials or physical access to it. From there, a number of additional types of cyberattacks become possible.
The vulnerability is tracked as CVE-2022-22965. It has made headlines recently in part because of its severity (Spring developer VMware deems the vulnerability critical). Many discussions of SpringShell include mention of CVE-2022-22963. While not technically part of SpringShell, it is a vulnerability in Spring Cloud Function and is also considered critical.
How Could SpringShell Impact You?
Because the Spring Framework is widely used for web system development, this vulnerability may affect many applications that were built with it. Some examples of applications that can be built with the Spring Framework include e-commerce platforms, project management tools or content management repositories. However, not everything built with the Spring Framework is vulnerable. Known approaches to exploiting the vulnerability work under specific conditions.
Unit 42 has observed SpringShell being exploited in the wild. We observed scanning activity – searches for vulnerable systems – as early as March 30. While not all of this activity is malicious, we have seen some SpringShell activity that includes commands that suggest malicious intent.
Since the relevant technical details needed to exploit the vulnerability have gone viral on the internet, SpringShell could possibly be abused on a larger scale by attackers.
Responding to SpringShell: Recommendations
Many organizations do not maintain an up-to-date inventory of software and systems. This can complicate the response to vulnerabilities such as SpringShell – if you don’t know what’s in your environment, it’s difficult to quickly determine what may be affected.
Talk to the leaders responsible for IT and your production systems to determine whether they’re aware of SpringShell and whether your organization is impacted.
A patch for SpringShell was released on March 31. We strongly urge organizations that have projects or products based on Java Development Kit 9 or later and the Spring Framework (and its derivatives) to patch as soon as possible. Consider sharing Unit 42’s full-length post on CVE-2022-22965 with your security teams and others who could benefit from a full technical analysis.
You may also want to consider whether vendors you work with have been impacted and how they are responding. Carnegie Mellon University’s CERT Coordination Center is maintaining a list of impacted vendors.
After any issues related to SpringShell have been resolved, if you discovered that your organization is in the dark about the status of your software and systems, you may take the opportunity to put procedures in place that make it easier to respond the next time there’s news of a critical vulnerability.
Stay Ahead of Threats with the Unit 42 Threat Intel Bulletin
The threat landscape continues to evolve. The monthly Unit 42 Threat Intel Bulletin delivers information you need to evolve with it. Subscribe today.