Spring4Shell already reaches more than 15% of businesses worldwide

Around 37,000 exploit attempts were reported in the first weekend since the Spring4Shell vulnerability – also simply called SpringShell by some researchers – was identified, according to Check Point Research. During the first four days, 16% of companies around the world had already been affected. The most impacted region was Europe, accounting for 20% of attacks, while software vendors were the most impacted sector (28%).

The issue affects Spring Framework, one of the three most popular frameworks for Java application development, and the recommendation for user organizations is to upgrade to newer versions, following the official Spring project guidelines. According to SecurityScorecard, it has been assigned the designation CVE-2022-22965 and scored 9.8 in the CVSS ranking, due partially to ease of exploitation.

In 2010, another RCE vulnerability was identified in Spring Framework v2.5. The new RCE vulnerability is related to this old one, but only affects Java versions 9 and higher (JDK9+), and can be exploited only with endpoints that interface with the Internet.

“Scans looking for a specific combination of factors suggestive of fragile instances found 150,000 vulnerable devices after monitoring a quarter of the Internet. This is an indicator that up to 600,000 devices may have exploitable vulnerable components,” says Jared Smith, senior director of intelligence at SecurityScorecard.

Another worrying point is that the speed at which Spring environments are being updated seems slow. According to Sonatype, which maintains a dashboard to track how patches for Spring4Shell are being employed, 79% of Spring downloads as of March 31 were still vulnerable, suggesting that developers have not acted promptly to update their Spring instances. This does not mean, however, that applications running unpatched versions of Spring are necessarily vulnerable.

Sonatype recalls that when the Log4Shell vulnerability was identified last December, it also started publishing remediation statistics. However, despite the initiative to raise awareness of the serious problem, around 40% of log4j2 downloads are still vulnerable versions.

The company points out that while there is similarity in names to Log4Shell, the Spring4Shell vulnerability does not appear to have the same destructive potential. Certain conditions would need to be met for successful exploitation of Spring4Shell.

Alarming news about the new flaw has led to confusion and excessive concern that severe damage like that caused by Log4Shell last December would have to be dealt with again.

How to protect yourself

According to security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/#:~:text=for%20this%20vulnerability.-,Observed%20activity,-Microsoft%20regularly%20monitors" target="_blank" rel="noopener">Microsoft, any system using JDK 9.0 or later and Spring Framework or derived frameworks should be considered vulnerable. The company is one among many other cybersecurity companies, agencies and researchers that have come up with lists of vulnerable products or tools to detect applications subject to vulnerability.

For example, the threat and vulnerability management console in Microsoft 365 Defender can help detect and report the occurrence of such a vulnerability. The CERT Coordination Centre at Carnegie Mellon University provides a list of vendors that have confirmed they have products that are vulnerable or under investigation.

Spring itself guides how to apply the necessary fix on its blog with the Spring Framework update addressing the CVE-2022-22965 flaw.