Spring4Shell - the next interpreter/RCE tsunami

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Lob

What could possibly go wrong?
Nov 7, 2020
161
44
Another month, another big CVE: https://www.tenable.com/blog/spring4shell-faq-spring-framework-remote-code-execution-vulnerability

Like the original Batman movie, you need several things (the Joker has toothpaste and shampoo as the poison combination I think....):
  • Java Development Kit (JDK) 9 or greater
  • Apache Tomcat as the Servlet container
  • Packaged as a WAR
  • spring-webmvc or spring-webflux dependency
I don't believe these to be the last Java libraries to have such flaws and am wondering how we begin to inventorise and assess these - because that's what the bad guys will be doing.

What do others think? Are we at the beginning of a trend?
 
It needs to be determined, but I don't think this will be as bad as the Log4J issue because I think one knows if one is running the Spring framework, and many business users have been conservative (i.e. slow to update) and so may be on older versions that are not affected. Never the less, there will likely still be confusion around "are we affected" and some heated activity around testing for vulnerability and the subsequent planning of updates.

EDIT: Just saw this: https://arstechnica.com/information...ll-the-internet-security-disaster-that-wasnt/

EDIT 2: There's also this https://isc.sans.edu/forums/diary/S...ate+Exploitation+Attempts+CVE202222965/28504/
 
Last edited: