Spring Framework vulnerabilities sow confusion, concern

The security community is scrambling to address two reported security flaws in the Spring Java development framework.

Researchers and defenders have been struggling to sort out the two vulnerabilities since Wednesday, when an anonymous security researcher published a Spring Framework zero-day vulnerability on Twitter and also posted a proof-of-concept exploit on GitHub.

Further details on the zero-day, however, were limited as VX-underground, a group that monitors and tracks vulnerability and ransomware disclosures, reported that shortly after making the disclosure, the researcher's Twitter account was apparently deleted.

The PoC posting has since been tested and verified by multiple security researchers, some of whom refer to Spring Framework flaw as "Spring4Shell" in reference to the recent Log4Shell vulnerability in the popular Java logging tool.

CVE-2022-22965 is a remote code execution (RCE) vulnerability in Spring Core that was found to be a workaround that re-exposed a vulnerability that was thought to have been addressed back in 2010.

The Spring open source project published an advisory Thursday that included patches for the flaw. The advisory announced "an RCE vulnerability in the Spring Framework that was leaked out ahead of CVE publication."

"On Wednesday we worked through investigation, analysis, identifying a fix, testing, while aiming for emergency releases on Thursday. In the meantime, also on Wednesday, details were leaked in full detail online, which is why we are providing this update ahead of the releases and the CVE report."

According to researchers Anthony Weems and Dallas Kaman with security vendor Praetorian, the seriousness of the vulnerability will vary from one application and configuration to another.

"In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted POST request to a vulnerable system," Weems and Kaman said in their analysis of the flaw.

"However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective."

Spring could not be reached for further comment.

Here's where things got confusing. Spring4Shell emerged at roughly the same time that another Spring vulnerability was also reported with a similar CVE number, and initial reports appeared to confuse the two.

The second Spring vulnerability, CVE-2022-22963, also potentially allowing remote code execution, is specifically found in the Spring Cloud Function library. The team at security consultancy LunaSec noted that the library is separate from the Spring Core, where the other bugs were reported.

"The situation is confusing because the vulnerabilities are in two popular Java libraries that are both published by Spring (Spring Core and Spring Cloud Function)," explained LunaSec's Free Wortley, Chris Thompson and Forrest Allison in a blog post.

Spring noted the confusion in its advisory for CVE-2022-22965. "There was confusion with a CVE for Spring Cloud Function which was released just before the report for this vulnerability. It is also unrelated."

Regardless, vendors and security experts are advising developers and administrators responsible for Spring installations to update their systems to patch for both flaws.