Important information about the Spring4Shell vulnerability
NBIP aims to inform members about new and existing vulnerabilities with a high risk profile. Therefore, below you will find information about Spring4Shell and how you can try to prevent data loss or data breach.
The National Cyber Security Center (NCSC) warns of a serious vulnerability in the Spring Core Framework
Spring4Shell is a vulnerability in the Spring Core Framework. That”s a set of Java libraries that can be used to develop applications in a structured way that could subsequently run either standalone or in web application environments like Tomcat. The abuse of this vulnerability has several technical prerequisites and requires multiple malicious requests to perform an unauthenticated remote code execution attack.
The NCSC has published a High/High security advisory about the vulnerability. The NCSC page provides more information on which versions of the Spring Framework are vulnerable and what you can do about it.
In addition, a number of scan tools have been made available (GitHub) that can be used to test whether the systems are vulnerable. One of them can be found here.
Is there a patch available?
Spring.io has made updates available to fix the vulnerability in Spring Framework versions 5.3.18 and 5.2.20. More information is available on the the page of the NCSC.
Over the next month, the NCSC will maintain an up-to-date list of mitigation measures, detection methods, and applications that have become known to be vulnerable or not to the Spring4Shell vulnerability.
You can find this overview on the NCSC’s GitHub.
Keep an eye on this overview and take action as needed for an application your organization uses.