Making Sense of SpringShell
Date of Notice: 03/31/2022
Action Level - High
Intro and Disclaimers
SpringShell, Spring4Shell, CVE-2022-22965, many names for essentially a repeat of the Log4Shell scramble we went through at the end of 2021.
Disclaimer: This is an evolving topic, the following will probably change, adjust, and may even be wrong as more information comes to light; the goal is to give you an executive summary so you can plan your next steps.
NOTE: this is CVE-2022-22965, not the CVEs 2022-22963 or 2022-22950 that were announced earlier and previously patched. This is a new CVE with a new patch released.
On March 29th and 30th murmurs of a pervasive Spring Remote Code Execution (RCE) were heard. On March 31st the Spring Maintainers posted that this was indeed true; this is CVE-2022-22965. This most likely will result in widespread need for patching of systems.
What is Spring?
Spring is owned by VMware and is an application development framework for Java.
What is the concern?
Spring, much like Log4J, is a widely used solution for Java. This is also an RCE vulnerability, meaning it needs to be taken seriously. The saving grace is that initial research from Praetorian indicates that this attack will require custom payloads and a knowledge of the target endpoint.
What are the next steps?
Take a deep breath, break out the documents from dealing with Log4Shell, and monitor your vendors for any updates or patches related to SpringShell or Spring4Shell. Spring themselves have released an update so that impacted software vendors will be able to update and implement any needed fixes to software impacted by this vulnerability.
Keep an eye out for tweets from MCNC as well. We will monitor this and post updates as they emerge.