Security researchers are warning of a new critical remote code execution bug in a popular Java developer framework, although reports that it could be the next Log4Shell may be overblown.
Dubbed “SpringShell” by some in the community, the vulnerability affects the spring-core artifact, a popular framework used extensively in Java applications, specifically with JDK9 or newer running.
“The vulnerability affects anyone using spring-core, a core part of the Spring Framework, to perform logging, and anyone using software built on Spring, which is a large population of enterprise Java software,” explained Sonatype.
“It stems from a previously exploited issue (CVE-2010-1622) in Spring that was patched in the past, but became vulnerable again when used with JDK9.”
Sonatype warned that older versions of Spring which allow Java reflection are often exposed to RCE bugs like this. Ultimately, exploitation could allow an attacker to poison a payload aimed at a Spring application and gain full remote control of the system.
A separate blog post from Praetorian said that in certain configurations, exploitation of SpringShell is fairly straightforward as an attacker will only need to send a crafted HTTP request to a vulnerable system. Other configs may require more work to understand which payloads are effective, it added.
Spring is apparently similar in scale to Struts, the framework exploited in the notorious Equifax hack. The bug is also reminiscent of the Log4Shell vulnerability published in December, according to Sonatype.
However, some experts have poured cold water on suggestions that this bug could be as dangerous as that found in the Log4j utility.
“More details are required, but current information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous. If proven true, SpringShell’s impact has the potential of being misconstrued as being more impactful or widespread than it may be,” argued Flashpoint.
“Although some may compare SpringShell to Log4Shell, it is not similar at a deeper level.”
If limited to JDK9 implementations as early indications suggest, SpringShell will also be less prevalent than Log4Shell, the firm added.
Spring developers are now locked in a race against time with the cybercrime community, as the former work to rush out a patch before a weaponized exploit becomes available.
In the meantime, Praetorian has listed some temporary mitigations.