Introduction
At the end of March, a researcher discovered a zero-day vulnerability in the Spring Core framework, which became known as “Spring4Shell” (CVE-2022-22965). The name implies it is closely related to another vulnerability called Log4Shell, however, so far there appears to be no direct link.
This new vulnerability has a few requirements to be vulnerable in the known state:
- A web application that uses Java Development Kit version 9 or later
- Apache Tomcat to be running as a Servlet Container
- Spring Framework versions – 5.2.0 to 5.2.19 or 5.3.0 to 5.3.17
- Application packaged as a WAR file
- Tomcat has spring-webmvc or spring-webflux dependencies from the Spring Framework.
What we are doing
Edgescan rolled out a test for vulnerable versions of the affected software using our network scanners. From today, 5th April, all scheduled assessments will check for the versions affected by CVE-2022-22965 and report them in customer estates as they are found. At this stage, no news is good news.
Given how early we are in this vulnerabilities cycle, we would recommend keeping an eye on your implementations of any of the above as a POC that may not require all 5 components could be available in the next few weeks.
Contact
Edgescan has automatically included this in testing as of today, 5th April. If we discover this in your environment it will be shown on your Edgescan dashboard. Our scan on-demand feature can be used if any customers would like to begin assessments, or feel free to reach out to our support team for any further queries.