The US Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework to its Known Exploited Vulnerabilities Catalog on Monday, citing “evidence of active exploitation.”
The critical severity flaw CVE-2022-22965 (CVSS score: 9.8), dubbed “Spring4Shell,” affects Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.
“Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that automatically decodes data from the request body) and relies heavily on the application’s servlet container,” Praetorian researchers Anthony Weems and Dallas Kaman wrote last week.
According to security firm SecurityScorecard, “active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space,” though the exact details of in-the-wild abuse are unknown.
Similar scanning attempts were discovered by Akamai and Palo Alto Networks’ Unit42, which resulted in the deployment of a web shell for backdoor access and the execution of arbitrary commands on the server to deliver other malware or spread throughout the target network.
“During the first four days following the vulnerability outbreak, exploitation attempts impacted 16 percent of organizations worldwide,” Check Point Research said, adding that it detected 37,000 Spring4Shell-related attacks over the weekend.
The Microsoft 365 Defender Threat Intelligence Team also added its two cents, stating that it has been “tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities.”
Since the issue was discovered on March 31, potentially vulnerable versions of the Spring Framework have accounted for 81 percent of all downloads from the Maven Central repository, according to Sonatype statistics.
Cisco confirmed that three of its products are affected by the vulnerability, and it is actively investigating to see which of them are affected.
- Cisco Edge Intelligence
- Cisco Crosswork Optimization Engine
- Cisco Crosswork Zero Touch Provisioning (ZTP)
VMware, for its part, has identified three of its products as vulnerable, and has issued patches and workarounds needed –
- VMWare Tanzu Operations Manager
- VMWare Tanzu Application Service for VMs
- VMWare Tanzu Kubernetes Grid Integrated Edition (TKGI)
“A malicious actor with network access to an impacted VMware product could exploit this issue to take complete control of the target system,” according to VMware.
CISA has also added to the catalog two zero-day flaws that Apple patched last week (CVE-2022-22674 and CVE-2022-22675), as well as a critical flaw in D-Link routers (CVE-2021-45382) that has been actively weaponized by the Beastmode Mirai-based DDoS campaign.