Hype and hyperbole were on full screen this week as the security world responded to reports of yet another Log4Shell. The vulnerability came to light in December and is without a doubt one of the most serious internet threats in years. Named Spring4Shell – the new code execution bug in the widespread Spring Java framework – quickly set the security world on fire while researchers tried to assess the seriousness.
One of the first posts to report the bug was tech news site Cyber Kendra, which warned of serious damage that the bug could cause to “tons of applications” and “could corrupt the Internet.” Almost instantly, security companies, many of them pushing hose oil, fell upon themselves to warn of the imminent danger we would all face. And all that before a vulnerability tracking designation or advice from Spring maintainers was even available.
Everyone on board
The hype train started on Wednesday after a researcher published a proof-of-concept exploit that could remotely install a web-based remote control backdoor known as a web shell on a vulnerable system. People were understandably worried because the vulnerability was so easy to exploit and was in a framework that drives a huge number of websites and apps.
The vulnerability lies in two Spring products: Spring MVC and Spring WebFlux, which allow developers to write and test apps. The bug is due to changes introduced in JDK9 that revived a decade-old vulnerability traced as CVE-2010-1622. Given the abundance of systems that combine the Spring frame and JDK9 or later, it was no wonder that people were worried, especially since the exploit code was already in nature (the first leak quickly took the PoC down, but on it time it was too late).
On Thursday, the bug was finally named CVE-2022-22965. Security defenders were also given a much more nuanced description of the threat it posed. The leaked code, Spring maintainers said, only ran when a Spring-developed app ran on top of Apache Tomcat and then only when the app was implemented as a file extension known as a WAR, an acronym for web archive.
“If the application is implemented as a Spring Boot executable jar, ie the standard, it is not vulnerable to exploitation,” wrote the Spring maintainers. “But the nature of the vulnerability is more general, and there may be other ways to exploit it.”
While the post opened up the possibility that PoC utilization could be improved to work against other configurations, no one has found a variation that does, at least for now.
“This is something that developers should fix if they use an affected version,” said Will Dormann, a vulnerability analyst at CERT, in a private message. “But we’re still in the boat of not knowing of a single application out there that can be exploited.”
On Twitter, Dormann took Cyber Kendra to task.
“Ways like Cyber Kendra made this worse for everyone,” he said wrote. “1) Sensational blog post indicating that this is going to ruin the internet (red flag!) 2) Links to a git-commit on deserialization that has absolutely nothing to do with the problem that the original party demonstrated.”
Ways Cyber Kendra Made This Worse For Everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Link to a git-commit on deserialization that has absolutely nothing to do with the problem that the original party demonstrated. pic.twitter.com/91MAfL7K4r
– Will Dormann (@wdormann) March 31, 2022
A Cyber Kendra representative did not respond to a request for comment. In fairness, the line of destroying the Internet was later broken.
SpringShell, does not Spring4Shell
Unfortunately, while there is consensus that the vulnerability, at least so far, poses nothing close to the Log4Shell threat, the Spring4Shell name has largely held up. It will probably mislead some about its severity. Going forward, Ars will refer to it by its more appropriate name, SpringShell.
Several researchers say they have discovered scans in the wild that use the leaked CVE-2022-22965 PoC or a exploit that is very similar to it. It is not uncommon for researchers to kindly test servers to understand how widespread a new vulnerability is. A little more worrying is a report on Friday in which researchers from Netlab 360 said that a variant of Mirai – malware that can scandalize thousands of IoT devices and produce crippling paralysis attacks – “has won the race as the first botnet to adopt this vulnerability. . ”
To make matters more confusing, a separate code execution vulnerability emerged last week that affects Spring Cloud Function, allowing developers to easily decouple business logic in an app from a specific runtime. The bug, tracked as CVE-2022-22963, is located in Spring Expression Language, typically known as SPEL.
Both vulnerabilities are potentially serious and should in no way be ignored. This means that you need to update the Spring Framework to 5.3.18 or 5.2.20, and out of an abundance of caution also upgrade to Tomcat 10.0.20, 9.0.62 or 8.5.78. Those using the Spring Cloud feature should update to either 3.1.7 or 3.2.3.
For people who are not sure if their apps are vulnerable to CVE-2022-22965, researchers at security firm Randori have released a simple, non-malicious script who can do just that.
So by all means, test and patch, as if there is no tomorrow, but do not believe the hype.