Skip to main content
banner image
venafi logo

Spring4Shell Vulnerability Sets Off Alarms

Spring4Shell Vulnerability Sets Off Alarms

April 6, 2022 | Brooke Crothers

Organizations worldwide are facing the fallout of the Spring4Shell vulnerability. And Microsoft has reported vulnerabilities in the Spring Framework for Java.  But some are questioning the gravity of the exploit.

Why are TLS certificates such a hot commodity on the dark web? Read the report to find out!
What is the Spring Framework and Spring4Shell exploit?

The Spring Framework is an Open Source programming and configuration model that provides infrastructure support for developers building Java applications (via Check Point). It is used by millions of web applications and websites and is one of the most popular frameworks for the java programming language. The framework has become popular in the Java community as an addition to the Enterprise JavaBeans (EJB) model.

The Spring4Shell exploit is a zero-day vulnerability in the Spring Core Java framework that may allow unauthenticated remote code execution (RCE) on vulnerable applications. It was publicly disclosed on March 30 before a patch was released.

The vulnerability is newly listed as CVE-2022-22965 by the National Vulnerability Database.

Microsoft reacts

Microsoft responded publicly with a blog on April 4, describing the threat.

“The Spring Framework is the most widely used lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met.

“The vulnerability in Spring Core—referred to in the security community as SpringShell or Spring4Shell—can be exploited when an attacker sends a specially crafted query to a web server running the Spring Core framework. Other vulnerabilities disclosed in the same component are less critical and not tracked as part of this blog.”

SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965, Microsoft Security Blog, updated April 5, 2022

In the course of monitoring attacks against its cloud infrastructure and services, Microsoft said it has been tracking a low volume of exploit attempts but has not seen a significant increase in quantity of attacks or new campaigns as of April 5.

VMWare has also published security updates for Spring4Shell.

How severe is it?

A report at Ars Technica disputed the seriousness of the exploit.

“Hype and hyperbole were on full display this week as the security world reacted to reports of yet another Log4Shell,” according to the report.

And some later reports downplayed the severity, after initial breathless warnings of what could happen.

“While some have compared this security bug's severity level with Log4Shell…this isn't necessarily true given that Spring4Shell only impacts systems with a very particular configuration,” said BleepingComputer.

Some, including Will Dormann, Vulnerability Analyst at the CERT/CC, took a dim view of the initial overreaction to the vulnerability.  

But Dormann later revised his initial take and said it actually was a “thing.”

“And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing,” Dormann said in a tweet.

On April 1, the US Cybersecurity and Infrastructure Security Agency (CISA) urged all organizations in the U.S. to patch immediately.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Ukraine-Russia Cyber ‘Trench’ Warfare Intensifies

Russian offensive persists though not at scale expected

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more