blog

The Spring4Shell confusion

As the guys at LunaSec have already mentioned (https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ ), there’s been a bit of confusion around “Spring4Shell” and similar vulnerabilities that have been reported almost at the same time.

On March 29th, 2022, two RCE vulnerabilities were being discussed on the internet. Most of the people talking about them believe they’re talking about “Spring4Shell” (CVE Added: CVE-2022-22965), but in reality they’re swapping notes about CVE-2022-22963.

LunaSec

We’d like to focus on this specific aspect in this post to keep things simple and clear.

  • Spring4Shell (CVE-2022-22965) is a Very Severe RCE vulnerability affecting Spring Core and its derivatives.
  • CVE-2022-22963 (no known name) is a less severe vulnerability that affects Spring Cloud Function.

To make matters a bit more confusing, there seems to have been reports of a third vulnerability affecting Spring’s deserialisation logic, but this turned out not to be exploitable.

So we have two vulnerabilities affecting related, but distinct, Spring libraries and both represent a serious weakness for any system using the affected versions under the required conditions.

The threat intel team at AppSec Phoenix has triggered the corresponding alerts in our platform so that anybody with applications potentially affected by the vulnerability gets the corresponding notifications.

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Contextual vulnerability management is a comprehensive approach to identifying, analyzing, and mitigating vulnerabilities in software and cloud infrastructure. It involves considering the specific context and environment in which vulnerabilities exist, including the software and hardware components, the network infrastructure, and the organizational policies and processes in place. By adopting this approach, organizations can more effectively assess and mitigate the risks posed by vulnerabilities, helping to protect their assets and maintain the security of their systems and networks.
Francesco Cipollone
Cyber security risk is challenging to calculate. Real-Time context, Cyber threat intelligence, Ownership Vulnerabilities, all part of the same continuum ->
Alfonso Eusebio
In today’s digital world, cyber threats are a real and growing concern for organizations of all sizes. As the threat landscape continues to evolve. we explore in this blog how to threat treats, which one to use in your prioritization strategy
Sally Turner

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO