Blog, General, News

Spring4Shell – CVE-2022-22965

Introduction 

At the end of March, a researcher discovered a zero-day vulnerability in the Spring Core framework, which became known as “Spring4Shell” (CVE-2022-22965). The name implies it is closely related to another vulnerability called Log4Shell, however, so far there appears to be no direct link. 

This new vulnerability has a few requirements to be vulnerable in the known state: 

  • A web application that uses Java Development Kit version 9 or later  
  • Apache Tomcat to be running as a Servlet Container 
  • Spring Framework versions – 5.2.0 to 5.2.19 or 5.3.0 to 5.3.17 
  • Application packaged as a WAR file 
  • Tomcat has spring-webmvc or spring-webflux dependencies from the Spring Framework. 

 

What we are doing 

Edgescan rolled out a test for vulnerable versions of the affected software using our network scanners. From today, 5th April, all scheduled assessments will check for the versions affected by CVE-2022-22965 and report them in customer estates as they are found. At this stage, no news is good news. 

Given how early we are in this vulnerabilities cycle, we would recommend keeping an eye on your implementations of any of the above as a POC that may not require all 5 components could be available in the next few weeks. 

 

Contact 

Edgescan has automatically included this in testing as of today, 5th April. If we discover this in your environment it will be shown on your Edgescan dashboard. Our scan on-demand feature can be used if any customers would like to begin assessments, or feel free to reach out to our support team for any further queries. 

Posted April 8, 2022 in Blog, General, News

Theo

theo.g@edgescan.com

Marketing Executive of Edgescan

Recent News

Tableau Integration with Edgescan
May 10, 2022

Tableau Integration with Edgescan

Why is the VM Industry Proliferated with Point Solutions?
Apr 29, 2022

Why is the VM Industry Proliferated with Point Solutions?

CISA 101 for Enterprises – Why CISA Matters
Apr 14, 2022

CISA 101 for Enterprises – Why CISA Matters