There is a new zero-day vulnerability that has the cybersecurity community talking. If you recall not too long ago there was a “Log4Shell” vulnerability that affected millions since this software vulnerability could be exploited in Apache Log4j2. Now this new vulnerability I would like to take some time to talk about goes by the name “Spring4Shell”.
You might be asking yourself “What is Spring4Shell”?
Well, Spring4Shell was identified on March 29, 2022, and while there is still a developing analysis, what we know so far is that users running JDK version 9 or newer along with Apache TomCat are vulnerable to the remote code execution (RCE) attack. An RCE attack will allow a threat actor to remotely execute malicious code and the impact can range from malware execution to the threat actor gaining full control over a compromised machine. Since we are still in the early stages of understanding this vulnerability there may be other ways to exploit it (more coming soon).
Spring4Shell vs Log4Shell?
While Spring4Shell mainly affects the applications that operate on the Spring framework, where a threat actor could write a malicious JSP file accessible via the application server. Whereas Log4Shell was the result of an exploited logging feature over your infrastructure.
Should I even care about this new zero-day vulnerability?
The answer is plain and simple, Yes. I advise that anyone reading this and is currently a Spring user who is using TomCat and JDK version 9 or greater should update ASAP! While we are still gathering more information about this vulnerability the best thing you can do as a user is to educate yourself if this impacts you within your development environment and patch accordingly.
In the coming weeks we will be posting our technical analysis of this vulnerability as a case study.