Two New RCE Vulnerabilities in Spring

March 31, 2022

Aner Morag VP of Technology

Post Featured Image

Introduction

Between March 29th and March 31st, 2022, two new zero-day vulnerabilities were discovered in the Spring Framework, a popular framework used by Java developers. Both vulnerabilities allow for remote code execution (RCE), although the more recent one, called “Spring4Shell,” is by far the more severe of the two and deserves the most attention by security teams..

In this post, we’ll provide a short overview of the two vulnerabilities. For Noname Security customers, our API Security Platform detects and blocks cyber attacks caused by Spring4Shell vulnerabilities. The Noname research team has also confirmed that the API Security Platform is not impacted by either new vulnerabilities. 

Summary of New Spring Vulnerabilities

Spring4Shell (CVE-2022-22965)

"Spring4Shell" is a critical vulnerability allowing a remote code execution vulnerability in Spring framework. Due to the enormous potential impact of such vulnerability, we are closely monitoring the situation for any developments. Several research teams around the globe have already recreated a proof of concept to exploit the bug affecting all Spring Core versions before and including 5.3.17.

Spring Cloud Function (CVE-2022-22963)

This is another remote code execution vulnerability but in the Spring Cloud Function, which has smaller coverage. Spring has acknowledged this vulnerability and released an updated version.

How Noname Security Protects Customers

APIs now present the largest attack surface for organizations. From eliminating vulnerabilities in development to finding vulnerabilities in production and stopping attacks in real-time, the Noname API Security Platform significantly reduces the risk and potential impact of RCE attacks by significantly reducing the possibility of intrusion.

Here is how Noname Security is addressing each vulnerability for our customers:

Spring4Shell (CVE-2022-22965)

The Noname API Security Platform would have already detected the Spring4Shell payloads  as Command Injection attempts with existing logic, patterns, and machine-learning (ML) models. Furthermore, additional payloads and detection mechanisms will be made available to customers soon.

Spring Cloud (CVE-2022-22963)

For this comparatively minor vulnerability, Noname Security’s development team is currently adding coverage for CVE-2022-22963 in the Noname API Security Platform, which will be available to customers soon.

Is the Noname API Security Platform Affected?

No, the Noname API Security Platform itself does not use any Java code and is not affected by either CVE-2022-22965 nor CVE-2022-22963.

Next Steps

Spring customers should update to Spring Framework versions 5.3.18 and 5.2.20 and monitor additional published updates.

To further reduce the risk of RCE attacks, organizations should implement a dedicated API security solution to shrink their overall attack surface and limit the possibility of intrusion.

If you have additional questions contact us at research@nonamesecurity.com or book a demo to learn more about the Noname API Security Platform.