Thu. May 26th, 2022

Rapid7 has found a spring framework vulnerability called Spring4Shell

 

As usual a new vulnerability requires risk management to be reassessed.

 

https://nvd.nist.gov/vuln/detail/CVE-2022-22965  Leads to

https://tanzu.vmware.com/security/cve-2022-22965

Which says the following information which is important.

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • Spring Framework
    • 5.3.0 to 5.3.17
    • 5.2.0 to 5.2.19
    • Older, unsupported versions are also affected

 

Time to work on your vulnerability management

Contact Us to discuss.

 

Update on April 11th – there are now indications of successful attacks:

Portswigger.net  post:

Attackers are abusing Spring4Shell vulnerability to spread Mirai botnet malware

Unfortunately it did not take long to see this vulnerability being exploited.

 

And I see it on(mid-day on the 11th of April) Internet Storm Center now: https://isc.sans.edu/

From their forum area – it was briefly put on the front page.

Internet storm center gets into a lot more detail of a probe – to see if your systems are vulnerable.


Our “First Seen URL” page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. The scans originate from 45.155.204.146 and have been going on for a few days already, but our first-seen list doesn’t display them until they hit a threshold to consider the scans significant. We also see scans from a couple of our IPs, but at a much lower level.

A typical complete request from 45.155.204.146:

GET /actuator/gateway/routes HTTP/1.1
Host: [redacted]:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Encoding: gzip
Connection: close

So it looks like the probes are looking for more vulnerabilities besides Spring4Shell.

 

Contact Us to discuss.

 

 

By zafirt

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.