9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
THREAT LEVEL: Red For a detailed advisory, download the pdf file here A zero-day vulnerability has been discovered in the Spring framework, a Java framework that provides infrastructure support for web application development. This vulnerability came to light after a Chinese researcher made a GitHub commit that was quickly erased. The vulnerability remained unassigned for over 24 hours before being assigned an official identifier CVE-2022-22965. The remote code execution bug affects Spring MVC and Spring WebFlux apps running on JDK 9+. By sending a carefully crafted request to a susceptible server, an attacker could exploit Spring4Shell. The publicly available exploit, on the other hand, requires the software to run as a WAR deployment on Tomcat. If the software is deployed as a Spring Boot executable jar, which is the default, it is not vulnerable to this vulnerability. However, the nature of the vulnerability is wide, and there may be many more ways to exploit it. An active exploitation of Spring4Shell has been observed, an attacker is able to weaponize and execute the Mirai botnet malware on vulnerable servers, specifically in the Singapore region. The Mirai sample is downloaded to the “/tmp” folder and executed after permissions are changed to make them executable using “chmod” Organizations using Spring Framework with version 5.3.x should upgrade to 5.3.18+ and version 5.2.x should upgrade to 5.2.20+. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities TA0002: Execution T1203: Exploitation for Client Execution Vulnerability Details Indicators of Compromise (IoCs) Patch Links https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://tanzu.vmware.com/security/cve-2022-22965 References https://www.praetorian.com/blog/spring-core-jdk9-rce/ https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/ https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P