A newly discovered vulnerability in the Spring Core Framework has been confirmed, and could leave millions of apps and websites vulnerable to cyberattacks if it goes unpatched.
The vulnerability, dubbed SpringShell or Spring4Shell by cybersecurity analysts, has drawn inevitable comparisons with Log4Shell, a zero-day vulnerability in the popular Log4J java tool which caused widespread problems when it was discovered in December. Experts say Spring4Shell is more difficult to exploit, but still has the potential to cause widespread damage.
Spring confirmed the problem with its Core Framework, a popular tool for building java applications, in a blog post, and published an update which it hopes will mitigate the issue.
Though more difficult to exploit than the Log4Shell vulnerability, which wreaked havoc in IT systems before Christmas, tens of thousands of attempts have been made to take advantage of Spring4Shell already.
What is the Spring framework?
The Spring Framework provides a programming and configuration model for Java-based enterprise applications on any kind of deployment platform. It offers a “common set of functionalities to include when building applications in Java,” says Martin Jartelius, CSO at cyber risk management company Outpost24, and allows different apps to be connected. Because of this, it is found in millions of web applications and websites, making it almost as ubiquitous as Log4J.
“Spring is super-popular. It’s the most popular framework for the java programming language, it is literally everywhere,” explains Ilkka Turunen, field CTO at software supply chain management platform Sonatype. “That’s the reason why there’s a lot of gasping at the moment about this.”
What is the Spring4Shell exploit?
The Spring Core exploit is an unauthenticated remote code execution (RCE) flaw, which means that anyone using something called data binary, which is a popular part of Spring, might be affected by this, says Turunen. An RCE flaw allows an attacker to execute code on a device remotely, so could potentially be used to deploy malware.
“Right now, known variants of this seem to rely on a few specific conditions to be met, but they’re fairly common conditions,” continues Turunen. “We think that as time goes on, this will evolve further into the different forms of attack.”
How similar is Spring4Shell to the Log4J vulnerability?
Software developers online have started to call the vulnerability Spring4Shell, after Log4Shell. This is because of the popularity of the Spring Core Framework. “It’s a safe assumption to make that anyone who’s writing Java will probably have something written in Spring,” says Turunen.
However there are some differences, explains Jamie Moles, a senior technical manager at network detection and response firm ExtraHop. “I think one of the big differences between this and Log4Shell is that a lot of people who were using Log4J didn’t know, because it bundled up and included as a part of an application.” The Spring Framework, on the other hand, is a commercial product and so there will be clear indicators when it has been used.
The skills required to exploit the vulnerability are also a bit higher, says Turunen. “It requires a little bit more knowledge,” he says. “It’s still very easy to exploit, but it’s not quite as easy as Log4J.”
How has Spring4Shell been exploited?
In the first weekend since the Spring4Shell exploit was discovered, there have been 37,000 attempts to take advantage of the vulnerability, according to research released by security company Check Point which states that 16% of organisations worldwide were hit within the first four days of the exploit being discovered.
Europe has been impacted the most so far with 20% of its organisations struck by the vulnerability in recent days. Software vendors have weathered the most activity as 28% of such organisations were affected. “Organizations using Java Spring should immediately review their software and update to the latest versions by following the official Spring project guidance,” states the report.
Such high activity has prompted the US Cybersecurity Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities Catalogue due to “evidence of active exploitation.”
Microsoft has released some guidance for users of its Azure cloud platform in a recent blog post, detailing that “any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable.”
The flaw has now been assigned the identifier CVE-2022-22965.
How widespread could the attacks be?
As with Log4J there are likely to be numerous targeted attacks, necessitating numerous patches, says Turunen. “There will be another discovery of a new form of attack that will then get exploited in the wild. And then another mitigation and another mitigation,” he says. Because of this, the problem will not disappear overnight. “We’ll probably see different exploitations occur over time, and different fixes coming into play,” he adds.
Attacks using this exploit may already be happening. “In terms of the impact of it, minutes count,” Turunen says. “Typically it’s not unusual to see, within hours of this sort of anomaly coming out, actual exploration of how it could be exploited and trafficked by the observers.”
Signs of an attack using an application server called Tomcat have already been spotted by researchers. “When you run Spring applications using Tomcat, there are some indications that there’s a form of attack there, but they very likely won’t be the last known form of attack. It’s just the starting point for researchers at the moment,” Turunen explains.
What should CISOs do to mitigate risk posed by the Spring Core Framework exploit?
Spring has released a critical update for its system in the wake of vulnerability being discovered. Cybersecurity company Praetorian has also issued advice to technical teams to help them spot and block dangerous code.
More updates are likely to follow as new ways to exploit the vulnerability come to light. “Obviously, there’s going to be a lot of releases in the next few days, but developers should be on the lookout and be ready to upgrade as soon as it comes out,” Turunen says.