Updated April 5, 2022
Flashpoint and Risk Based Security have analyzed a new remote code execution (RCE) vulnerability looming in the background, dubbed “SpringShell,” which could affect a wide variety of software. In some circles, SpringShell is being hyped and rumored to be as impactful as Log4Shell. But we are still collecting facts and will continuously update this blog with any information that will help security teams decide if they should prioritize this issue. As of March 31, 2022, Spring has released a patch that addresses the vulnerability, and a release for Spring Boot is in progress.
Here’s a rundown of what we know about SpringShell right now.
Frequently Asked Questions
Spring4Shell or SpringShell?
We recognize that a distinct “Spring Shell” project currently exists, which can make SpringShell’s name confusing. We sympathize with those who have voiced concerns and agree that SpringShell is a poor name.
However, since SpringShell has already been coined for this issue, we will continue to use it to avoid potential misinformation when sharing future updates. Although the “Spring4Shell” name variation has gotten more traction in the media, we encourage others not to use it. The ‘4’ is strictly arbitrary, being used to reference the Log4Shell vulnerability, which derived its name from the Log4j library. Additionally, Spring4Shell implies that this issue is as severe as Log4Shell and current information does not support this.
Is there a CVE for SpringShell?
This should not be confused with CVE-2022-22963 or CVE-2022-27772 as those issues are separate from SpringShell but are being discussed in a way that may be difficult to differentiate.
SpringShell was disclosed March 29, 2022. Two days later, SpringShell was assigned CVE-2022-22965. Currently, it is still in RESERVED status but according to the vendor, the “specific exploit requires the application to run on Tomcat as a WAR deployment.” Our analysts have confirmed the vulnerability in this environment but it may affect other environments as well.
Is SpringShell currently exploitable?
A proof-of-concept (PoC) for remote execution has been published and validated for Spring Core. The PoC code leverages this vulnerability to modify Tomcat logging configuration to place shellcode into the log file and then achieve remote code execution.
At this time, the vulnerability currently affects JDK 9 and newer versions with exploits in the wild targeting applications running Tomcat as a WAR deployment. Although being relatively specific, since Spring Core is a library, the exploit methodology will likely change from user to user. More information is needed to assess how many devices run on the needed configurations and until then, SpringShell should not be seen as the next Log4Shell.
What is the CVSS for SpringShell?
Like almost any remote code execution (RCE) vulnerability, SpringShell has a CVSSv2 score of 10.0 and a CVSSv3 of 9.8. However, since Spring is both a framework and a library, the actual implementation of the vulnerable code may reduce the risk—or, it may manifest in different ways. This could change SpringShell’s impact, increase its access complexity, or require authentication to exploit.
Does SpringShell have limiting factors?
As of this publishing, this issue is reported to affect applications using Spring Framework with Java Development Kit (JDK) 9 and newer versions.
How prevalent is the Spring Framework?
According to Spring Framework, it is the world’s most popular Java framework. Major vendors also have contributed to Spring, such as Alibaba, Amazon, and others.
What are threat actors saying about SpringShell?
According to BleepingComputer, some sources have come forward stating that SpringShell is being actively exploited. GreyNoise has also come forward, stating that two “Spring” vulnerabilities, including SpringShell have been actively exploited in the wild. CISA added SpringShell to the Known Exploited Vulnerabilities Catalog on April 4, 2022.
Track and monitor zero-day vulnerabilities using Flashpoint
Risk Based Security, a Flashpoint company, covers over 284,000 vulnerabilities, including almost 93,000 not reported by CVE/NVD. Sign up for a free trial to get vulnerabilities 21 days faster on average, compared to NVD.