Java Framework ‘Spring4Shell...
Java Framework ‘Spring4Shell’ Vulner...

Java Framework ‘Spring4Shell’ Vulnerability Leads to Potential Exploit

Zero-day vulnerability could be as impactful as Log4j, affecting ability to perform Remote Code Execution (RCE)

Justin Henkel Head of CISO Center of Excellence, OneTrust

clock3 Min Read

Featured Image

On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j.  

Spring4Shell is a zero-day vulnerability within the application development framework, likely putting numerous web applications at risk of being exploited. The scope of the attack is unknown, broad and still evolving.  

So, what do we know about Spring4Shell? 

Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today. 

What is Spring4Shell?

As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications. 

However, in the JDK9 version (and above) of the Spring framework, a remote attacker can exploit this vulnerability to perform a Remote Code Execution (RCE) which can lead to an attacker gaining unauthorized control of a target system. 

Currently, this is what we know: 

  • The Spring4Shell vulnerability was discovered on Tuesday, March 29 and reported to the public on March 30, 2022.
  • The vulnerability affects Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and certain older, unsupported versions of the framework have also been affected.  
  • The Spring Framework team reports that the vulnerability involves ClassLoader access, implying the possibility of other attacks against a different custom ClassLoader. 
  • The Spring Framework team also reports that the issue relates to data binding used to populate an object from request parameters. 
  • The Spring framework team spent the day investigating and analyzing the vulnerability (CVE-2022-22965), then identifying and testing a solution.  
  • Spring Frameworks 5.3.18 and 5.2.20 contain bug fixes and have been released. Updating to these versions is the suggested workaround to the vulnerability to date.  
  • As of April 3, Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 in mitigation efforts. 

Who is Impacted by Spring4Shell?

The Spring4Shell team reports these as the requirements for impact from this specific vulnerability: 

  • Use of Spring MVC and Spring WebFlux applications running on JDK 9+. 
  • Use of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. 
  • Using Apache Tomcat as the Servlet container — the specific exploit requires the application to run on Tomcat as a WAR deployment. 

Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today. 

Is OneTrust Impacted by Spring4Shell?

The Spring framework is a well-known and widely used microservice — the OneTrust Platform utilizes the Spring framework. The vulnerability has been identified as having a medium impact on OneTrust customers with the information that we currently know of.  

OneTrust has established next steps as follows:  

  • Develop checklist for remediation response 
  • Develop assessment template to provide to vendors regarding vulnerability and remediation 

How can OneTrust Help with Cybersecurity Resiliency?

The  OneTrust platform leverages expertise in GRC, specializing in Vendor Risk Management, Privacy, Incident Management, and many other categories to deliver an immersive security and privacy management experience. The Vendorpedia™ Third-Party Risk Exchange offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor resilience visibility. This allows for seamless incident management and the ability to prioritize trust and transparency as a competitive advantage.   

You Might Also Be Interested In

JUN 08, 2022

The New Digital and Data Strategy in the EU and UK: DMA, DSA and the UK Online Safety Bill

MAY 18, 2022
Consent and Preferences

IAB TCF 2.0 Checklist for Publishers

JUN 01, 2022
Privacy Automation

From Data Compliance to Data Intelligence

JUN 01, 2022

7 Ways Trusted Brands Promote Their Security, Privacy, Ethics, and ESG Programs

JUN 01, 2022

Thailand Personal Data Protection Act Takes Effect

MAY 16, 2022
Third-Party Risk

OneTrust is a Leader in Third-Party Risk Management Platforms

MAY 26, 2022

How successful security teams manage risk to build trust and drive growth

JUN 02, 2022
Privacy Automation

OneTrust and Microsoft Come Together to Automate Employee Rights Requests

Onetrust All Rights Reserved