Spring4Shell added to CISA’s list of exploited vulnerabilities
The recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, known as Spring4Shell, has been added to CISA’s Known Exploited Vulnerabilities Catalog.
It is one of the four flaws that have been added added to the catalog of exploited vulnerabilities by the federal Cybersecurity and Infrastructure Security Agency (CISA) as of today. CISA set the deadline for federal agencies to update the affected software on April 25.
Details about the vulnerability known as Spring4Shell leaked last Tuesday, and the open source vulnerability was acknowledged Thursday by VMware-owned Spring. Spring is a popular framework in Java application development.
The RCE vulnerability (CVE-2022-22965) affects JDK 9 or later and has several additional requirements for it to be exploitable, including that the application runs on Apache Tomcat, Spring said in his blog after Thursday. The vulnerability has been given a CVSSv3 severity rating of 9.8, making it a “critical” vulnerability.
The addition of CVE-2022-22965 and the other vulnerabilities to the CISA catalog is “based on evidence of active exploitation,” CISA says on its disclosure page.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA said.
On Saturday, VMware announced that three products within its Tanzu application platform are affected by Spring4Shell. The company said in an advisory that the affected products are VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
“A malicious actor with network access to an affected VMware product could exploit this issue to gain complete control over the target system,” VMware said in the press release. advisory†
As per the advisory, patches are now available for Tanzu Application Service for VMs (versions 2.11 and later), Tanzu Application Service (version 2.10) and Tanzu Operations Manager (versions 2.8 and later).
At the time of writing, VMware’s advisory says that patches are still pending for the affected versions of TKGI, which are versions 1.11 and above.
But even with the addition to the CISA catalog and the disclosure of some affected products, the discovery of real-world applications that could be exploited with Spring4Shell was significantly more difficult than with Log4Shell, the RCE vulnerability in Apache Log4j revealed in December.
At the same time, Spring4Shell is considered a “general” vulnerability — with the potential for additional exploits — meaning the best advice is that all Spring users should patch if possible, experts have told VentureBeat.
But even with the worst-case scenario for Spring4Shell, it’s highly unlikely to become as big of a problem as Log4Shell, experts say.
While Spring Framework’s widespread use suggests “many potentially affected deployments…however, the reality is that due to extenuating circumstances, only a small percentage of deployments are truly vulnerable to the issue,” Ilkka Turunen, field CTO at Sonatype, said in a statement. a blog after Monday. “That said, with any major project, there’s a lot of legacy that can lead to older and unmaintained systems becoming potential entry points.”
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.