Java Framework ‘Spring4Shell...
Java Framework ‘Spring4Shell’ Vulner...

Java Framework ‘Spring4Shell’ Vulnerability Leads to Potential Exploit

Zero-day vulnerability could be as impactful as Log4j, affecting ability to perform Remote Code Execution (RCE)

Justin Henkel Head of CISO Center of Excellence, OneTrust

clock3 Min Read

Featured Image

On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j.  

Spring4Shell is a zero-day vulnerability within the application development framework, likely putting numerous web applications at risk of being exploited. The scope of the attack is unknown, broad and still evolving.  

So, what do we know about Spring4Shell? 

Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today. 

What is Spring4Shell?

As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications. 

However, in the JDK9 version (and above) of the Spring framework, a remote attacker can exploit this vulnerability to perform a Remote Code Execution (RCE) which can lead to an attacker gaining unauthorized control of a target system. 

Currently, this is what we know: 

  • The Spring4Shell vulnerability was discovered on Tuesday, March 29 and reported to the public on March 30, 2022.
  • The vulnerability affects Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and certain older, unsupported versions of the framework have also been affected.  
  • The Spring Framework team reports that the vulnerability involves ClassLoader access, implying the possibility of other attacks against a different custom ClassLoader. 
  • The Spring Framework team also reports that the issue relates to data binding used to populate an object from request parameters. 
  • The Spring framework team spent the day investigating and analyzing the vulnerability (CVE-2022-22965), then identifying and testing a solution.  
  • Spring Frameworks 5.3.18 and 5.2.20 contain bug fixes and have been released. Updating to these versions is the suggested workaround to the vulnerability to date.  
  • As of April 3, Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 in mitigation efforts. 

Who is Impacted by Spring4Shell?

The Spring4Shell team reports these as the requirements for impact from this specific vulnerability: 

  • Use of Spring MVC and Spring WebFlux applications running on JDK 9+. 
  • Use of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. 
  • Using Apache Tomcat as the Servlet container — the specific exploit requires the application to run on Tomcat as a WAR deployment. 

Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today. 

Is OneTrust Impacted by Spring4Shell?

The OneTrust main platform utilizes the Spring Framework and Spring Beans, but the OneTrust Platform is not vulnerable to this exploit as it is not deployed on standalone Tomcat as a WAR deployment.

Preventative rules have been placed in OneTrust’s web application firewall to limit the exposure to attack traffic while patching is performed. All exposed APIs were patched to the non-vulnerable version of the Spring framework as part of the 6.34 release. All internal components are patched as part of the 6.35 release.

Further details can be found in this article on MyOneTrust (registration required).

How can OneTrust Help with Cybersecurity Resiliency?

The  OneTrust platform leverages expertise in GRC, specializing in Vendor Risk Management, Privacy, Incident Management, and many other categories to deliver an immersive security and privacy management experience. The Vendorpedia™ Third-Party Risk Exchange offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor resilience visibility. This allows for seamless incident management and the ability to prioritize trust and transparency as a competitive advantage.   

You Might Also Be Interested In

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

Onetrust All Rights Reserved