The recently announced Remote Code Execution (RCE) vulnerability affecting the Spring Framework, known as Spring4Shell, has been added to CISA’s well-known exploit vulnerabilities catalog.
It is one of the four shortcomings added to the list of vulnerabilities exploited by the Federal Cyber Security and Infrastructure Security Agency (CISA) to date. The CISA has set April 25 as the deadline for federal agencies to update the affected software.
Details about a vulnerability known as Spring4Shell were leaked last Tuesday and an open source vulnerability was acknowledged Thursday by VMware-owned Spring. Spring is a popular framework in the development of Java applications.
RCE vulnerability (CVE-2022-22965) affects JDK 9 or higher and there are many additional requirements to use it, including the application running on Apache Tomcat, Spring said in its blog post on Thursday. The vulnerability received a CVSSv3 severity rating of 9.8, which makes it a “critical” defect.
The addition of CVE-2022-22965 and other vulnerabilities to the CISA list is “based on evidence of active exploitation,” CISA states on its advertising page.
CISA says, “Such vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise.”
On Saturday, VMware revealed that three products within its Tanzu application platform are influenced by Spring4Shell. The company said in an advisory that the affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
“Malicious actors with network access to the affected VMware product may use this issue to gain complete control over the target system,” VMware said in the advisory.
According to the advisory, patches for Tanzu Application Service are now available for VMs (version 2.11 and above), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and above).
As of this writing, VMware’s advice states that patches are still pending for the affected versions of TKGI, version 1.11 and above.
However, with the addition of the CISA list and the announcement of some affected products, finding real-world applications capable of using Spring4Shell is significantly more difficult than Log4Shell, an RCE vulnerability that was revealed in Apache Log4j. In December.
At the same time, Spring4Shell is considered a “common” vulnerability – with the potential for additional exploitation – meaning the best advice is that all Spring users should patch if possible, experts told VentureBeat.
But despite the worst-case scenario for Spring4Shell, it’s unlikely to be as big of a problem as Log4Shell, experts say.
While the widespread use of the Spring Framework suggests that “a lot of potentially affected deployments… although the reality is that due to reduced circumstances, only a small percentage of deployments are really sensitive to this issue,” said Ilka Turune, Field CTO of Sonatype. In a blog post on Monday. “With any major project, there is a ton of legacy that could result in older and obsolete systems becoming potential entry points,” he says.
Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more about membership.