On March 30th, a new vulnerability was reported in Spring Beans, currently being dubbed “Spring4Shell”, with experts believing it could be as impactful as 2021’s Log4j.
Spring4Shell is a zero-day vulnerability within the application development framework, likely putting numerous web applications at risk of being exploited. The scope of the attack is unknown, broad and still evolving.
So, what do we know about Spring4Shell?
Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today.
What is Spring4Shell?
As the world’s most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
However, in the JDK9 version (and above) of the Spring framework, a remote attacker can exploit this vulnerability to perform a Remote Code Execution (RCE) which can lead to an attacker gaining unauthorized control of a target system.
Currently, this is what we know:
- The Spring4Shell vulnerability was discovered on Tuesday, March 29 and reported to the public on March 30, 2022.
- The vulnerability affects Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and certain older, unsupported versions of the framework have also been affected.
- The Spring Framework team reports that the vulnerability involves ClassLoader access, implying the possibility of other attacks against a different custom ClassLoader.
- The Spring Framework team also reports that the issue relates to data binding used to populate an object from request parameters.
- The Spring framework team spent the day investigating and analyzing the vulnerability (CVE-2022-22965), then identifying and testing a solution.
- Spring Frameworks 5.3.18 and 5.2.20 contain bug fixes and have been released. Updating to these versions is the suggested workaround to the vulnerability to date.
- As of April 3, Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 in mitigation efforts.
Who is impacted by Spring4Shell?
The Spring4Shell team reports these as the requirements for impact from this specific vulnerability:
- Use of Spring MVC and Spring WebFlux applications running on JDK 9+.
- Use of Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
- Using Apache Tomcat as the Servlet container — the specific exploit requires the application to run on Tomcat as a WAR deployment.
Visit the Spring Framework Website to learn more and find out if you are impacted by the Spring4Shell Vulnerability today.
Is OneTrust impacted by Spring4Shell?
The OneTrust main platform utilizes the Spring Framework and Spring Beans, but the OneTrust Platform is not vulnerable to this exploit as it is not deployed on standalone Tomcat as a WAR deployment.
Preventative rules have been placed in OneTrust’s web application firewall to limit the exposure to attack traffic while patching is performed. All exposed APIs were patched to the non-vulnerable version of the Spring framework as part of the 6.34 release. All internal components are patched as part of the 6.35 release.
Further details can be found in this article on MyOneTrust (registration required).
How can OneTrust Help with cybersecurity resiliency?
The OneTrust platform leverages expertise in GRC, specializing in Vendor Risk Management, Privacy, Incident Management, and many other categories to deliver an immersive security and privacy management experience. The Vendorpedia™ Third-Party Risk Exchange offers intelligence and automation to solve these challenges and provide value throughout the vendor relationship, from faster onboarding, real-time monitoring, and unprecedented vendor resilience visibility. This allows for seamless incident management and the ability to prioritize trust and transparency as a competitive advantage.
