Spring4Shell FAQ: Spring Framework Remote Code Execution Vulnerability
A list of frequently asked questions related to Spring4Shell.
Tenable Research is closely monitoring updates related to Spring4Shell. As more information becomes available, we will update this FAQ with additional details about the vulnerability, including Tenable product coverage.
Frequently Asked Questions about Spring4Shell
What is Spring4Shell?
Spring4Shell is the nickname given to a zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications.
Has a CVE been assigned to this vulnerability?
At the time this blog post was published, there was no known CVE-ID assigned for this vulnerability.
Is Spring4Shell related to Log4Shell?
While the name itself was inspired by Log4Shell (CVE-2021-44228), the two are not related.
Is there a patch available for Spring4Shell?
At the time this blog post was published, no patch was available for this vulnerability. However, we fully expect Spring to publish a patch for Spring4Shell along with assigning a CVE identifier. Once this information becomes available, we will update this blog.
How severe is Spring4Shell?
An attacker could exploit Spring4Shell by sending a specially crafted request to a vulnerable server. However, exploitation of Spring4Shell requires certain prerequisites, whereas the original Log4Shell vulnerability affected all versions of Log4j 2 using the default configuration.
Researcher Will Dormann tweeted about these prerequisites:
The prerequisites:
– Uses Spring Beans
– Uses Spring Parameter Binding
– Spring Parameter Binding must be configured to use a non-basic parameter type, such as POJOs
All this smells of “How can I make an app that’s exploitable” vs. “How can I exploit this thing that exists?”
— Will Dormann (@wdormann) March 30, 2022
It is unclear how common these prerequisites are. However, considering they are necessary for exploitation, we expect the impact of Spring4Shell to be much more limited than Log4Shell.
What versions of Spring Core Framework are affected?
So far, reports suggest that Spring applications running with Java Development Kit (JDK) 9 or greater are affected only if certain prerequisites are in place.
Is my application vulnerable if I use a JDK 9+ and Spring Framework?
Using both JDK 9+ and Spring Framework together does not necessarily equate to being vulnerable to Spring4Shell, as the application would need to be configured in a way for an attacker to exploit the flaw. For instance, Spring has recommended developers specify the allowedFields property when using the DataBinder class. Researchers have confirmed that not specifying this property could enable an attacker to leverage Spring4Shell against a vulnerable application.
What does Spring4Shell have to do with CVE-2010-1622?
Researchers at Praetorian have confirmed that Spring4Shell is a patch bypass of CVE-2010-1622, a code injection vulnerability in the Spring Core Framework that was reportedly fixed nearly 12 years ago. However, the researchers say the fix for CVE-2010-1622 was incomplete and a new path to exploit this legacy flaw exists.
Is Spring4Shell related to CVE-2022-22963?
No, these are two completely unrelated vulnerabilities. CVE-2022-22963 is a vulnerability in the Spring Cloud Function, a serverless framework for implementing business logic via functions. An advisory for CVE-2022-22963 was published on March 29 and patches for Spring Cloud Function are available.
Because there was no CVE assigned for Spring4Shell at the time of its disclosure, Spring4Shell was erroneously associated with CVE-2022-22963.
Is Proof of Concept exploit code available?
Yes, there are multiple working proof-of-concept (PoC) exploits available for both Spring4Shell and CVE-2022-22963.
Does Tenable have any product coverage for Spring4Shell?
Tenable Research is investigating the PoC exploits and monitoring updates related to the potential patch for Spring4Shell. We will update this blog post as new details emerge.
Get more information
Praetorian Blog on Spring4Shell
LunaSec Blog on Spring4Shell
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.