Search

Share

Spring4Shell – CVE-2022-22965

Introduction 

At the end of March, a researcher discovered a zero-day vulnerability in the Spring Core framework, which became known as “Spring4Shell” (CVE-2022-22965). The name implies it is closely related to another vulnerability called Log4Shell, however, so far there appears to be no direct link. 

This new vulnerability has a few requirements to be vulnerable in the known state: 

  • A web application that uses Java Development Kit version 9 or later  
  • Apache Tomcat to be running as a Servlet Container 
  • Spring Framework versions – 5.2.0 to 5.2.19 or 5.3.0 to 5.3.17 
  • Application packaged as a WAR file 
  • Tomcat has spring-webmvc or spring-webflux dependencies from the Spring Framework. 

 

What we are doing 

Edgescan rolled out a test for vulnerable versions of the affected software using our network scanners. From today, 5th April, all scheduled assessments will check for the versions affected by CVE-2022-22965 and report them in customer estates as they are found. At this stage, no news is good news. 

Given how early we are in this vulnerabilities cycle, we would recommend keeping an eye on your implementations of any of the above as a POC that may not require all 5 components could be available in the next few weeks. 

 

Contact 

Edgescan has automatically included this in testing as of today, 5th April. If we discover this in your environment it will be shown on your Edgescan dashboard. Our scan on-demand feature can be used if any customers would like to begin assessments, or feel free to reach out to our support team for any further queries. 

Related Articles

Edgescan, a prominent player in the cybersecurity landscape, has garnered significant attention and praise on Gartner Peer Insights. This platform, …

After discussing CTEM (Continuous Threat and Exposure Management) and ASPM (Application Security Posture Management) recently with some noted industry analysts, …

In the world of cybersecurity, the debate between Continuous Threat Exposure Management (CTEM) and traditional penetration testing is like comparing …