Rapid7 has found a spring framework vulnerability called Spring4Shell
As usual a new vulnerability requires risk management to be reassessed.
https://nvd.nist.gov/vuln/detail/CVE-2022-22965 Leads to
https://tanzu.vmware.com/security/cve-2022-22965
Which says the following information which is important.
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Severity is critical unless otherwise noted.
- Spring Framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Time to work on your vulnerability management
Contact Us to discuss.
Update on April 11th – there are now indications of successful attacks:
Portswigger.net post:
Attackers are abusing Spring4Shell vulnerability to spread Mirai botnet malware
Unfortunately it did not take long to see this vulnerability being exploited.
And I see it on(mid-day on the 11th of April) Internet Storm Center now: https://isc.sans.edu/
From their forum area – it was briefly put on the front page.
Internet storm center gets into a lot more detail of a probe – to see if your systems are vulnerable.
Our “First Seen URL” page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. The scans originate from 45.155.204.146 and have been going on for a few days already, but our first-seen list doesn’t display them until they hit a threshold to consider the scans significant. We also see scans from a couple of our IPs, but at a much lower level.
A typical complete request from 45.155.204.146:
GET /actuator/gateway/routes HTTP/1.1
Host: [redacted]:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Encoding: gzip
Connection: close
So it looks like the probes are looking for more vulnerabilities besides Spring4Shell.
Contact Us to discuss.