Security researchers have observed tens of thousands of attempts to exploit the critical new SpringShell (Spring4Shell) vulnerability within days of its publication.
Check Point Research claimed to have spotted 37,000 such attempts within the first four days, which it extrapolated to calculate that around 16% of global organizations were affected.
Europe accounted for the largest number of incidents (20%) and the software industry was the most affected vertical (28%).
There were actually three vulnerabilities found in the open-source Spring Framework late last week, although the main one is CVE-2022-22965 (SpringShell/Spring4Shell), a critical remote code execution (RCE) bug in the Spring Core.
It can be exploited if attackers send a specially crafted query to a web server running the Spring Core framework.
The other two are thought to be less serious RCE flaws in the Spring Cloud Function (CVE-2022-22963) and the Spring Cloud Gateway (CVE-2022-22947).
The seriousness of SpringShell was confirmed when the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its lengthening Known Exploited Vulnerabilities Catalog, meaning all civilian federal agencies are mandated to patch it within a narrow timeframe.
Impacted systems will be running Java Development Kit (JDK) version 9.0 or later and Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.
Concerns were raised when the CVEs broke last week that SpringShell could be as bad as the infamous Log4Shell bug discovered at the end of 2021. However, this is unlikely given the conditions required to exploit the vulnerability.
Microsoft seems to agree, noting that most of the limited exploit attempts it has seen are designed to drop a web shell on targeted Apache Tomcat servers.
“Microsoft regularly monitors attacks against our cloud infrastructure and services to defend them better. Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities,” it explained.
“Microsoft’s continued monitoring of the threat landscape has not indicated a significant increase in quantity of attacks or new campaigns at this time.”