[German]Security researchers from Check Point have discovered multiple vulnerabilities in the popular Java Spring Framework developer environment. The vulnerabilities are now being used for attacks, and according to Check Point, 16 percent of all organizations worldwide were affected after just four days. Immediate updating of affected products is strongly recommended.
I had already reported about these and vulnerabilities as of April 6, 2022, in the blog post VMware patches Spring4Shell RCE vulnerability CVE-2022-22965.
The Spring4Shell vulnerabilities
Security researchers at Check Point Research (CPR) are warning all users of the popular Java Spring Framework developer environment about the newly discovered vulnerabilities. After the Log4J vulnerability, the vulnerabilities were named Spring4Shell. The following vulnerabilities, affecting customers in the US and Europe, have been officially registered under this term:
- CVE-2022-22947 – official VMware post
- CVE-2022-22963 – official Spring project post
- CVE-2022-22965 – official Spring project post
Security researchers observed several indicators of injection/remote code execution as an attack path for Spring4Shell. Europe in particular is under fire, according to the security researchers. According to Check Point, 20 percent of organizations are said to be at risk because of Spring4Shell. Software vendors make up the largest group globally at 28 percent. A message from the security vendor said 16 percent of all organizations worldwide were affected after just four days.
Spring4Shell attacks, source: Check Point
Microsoft has published this article about Spring4Shell vulnerabilities. The colleagues at Bleeping Computer mention here, that Microsoft's ongoing attacks have discovered Spring4Shell exploits being used against Microsoft's cloud infrastructure. So far, however, no successful attack has been detected, as Microsoft has patched the software. CISA is also warning about these vulnerabilities.
The developers have released Java Spring Framework versions 5.3.18 and 5.2.20, as well as Spring Boot 2.5.12, which successfully fix the RCE issue. The Check Point security researchers recommend updating the Java Spring Framework to the latest version immediately to close the vulnerabilities. The issue for end users is that vendors of software products that use the Java Spring Framework must provide the relevant product updates. In doing so, following the Spring Project's guide is advised. A detailed overview of Check Point's observations on Spring4Shell can be found in this article.
Cookies helps to fund this blog: Cookie settings