03.31.2022

Making Sense of SpringShell

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 03/31/2022

Action Level - High

Intro and Disclaimers

SpringShell, Spring4Shell, CVE-2022-22965, many names for essentially a repeat of the Log4Shell scramble we went through at the end of 2021.

Disclaimer: This is an evolving topic, the following will probably change, adjust, and may even be wrong as more information comes to light; the goal is to give you an executive summary so you can plan your next steps.

NOTE: this is CVE-2022-22965, not the CVEs 2022-22963 or 2022-22950 that were announced earlier and previously patched. This is a new CVE with a new patch released.

On March 29th and 30th murmurs of a pervasive Spring Remote Code Execution (RCE) were heard. On March 31st the Spring Maintainers posted that this was indeed true; this is CVE-2022-22965. This most likely will result in widespread need for patching of systems.

What is Spring?

Spring is owned by VMware and is an application development framework for Java.

What is the concern?

Spring, much like Log4J, is a widely used solution for Java. This is also an RCE vulnerability, meaning it needs to be taken seriously. The saving grace is that initial research from Praetorian indicates that this attack will require custom payloads and a knowledge of the target endpoint.

What are the next steps?

Take a deep breath, break out the documents from dealing with Log4Shell, and monitor your vendors for any updates or patches related to SpringShell or Spring4Shell. Spring themselves have released an update so that impacted software vendors will be able to update and implement any needed fixes to software impacted by this vulnerability.

Keep an eye out for tweets from MCNC as well. We will monitor this and post updates as they emerge.

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC