Pierluigi Paganini April 05, 2022

The U.S. CISA added the recently disclosed remote code execution (RCE) vulnerability Spring4Shell to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed CVE-2022-22965 (aka Spring4Shell, CVSS score: 9.8) flaw in the Spring Framework, along with three other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

The vulnerability was disclosed after a Chinese security researcher published a proof-of-concept (PoC) exploit before deleting its account (helloexp).

This week VMware has published security updates to address the Spring4Shell flaw, according to the virtualization giant, the flaw impacts many of its cloud computing and virtualization products.

The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.

Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).

The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code. According to statistics released by Sonatype, potentially vulnerable versions of the Spring Framework account for 81% of the total downloads from Maven Central repository since the issue came to light on March 31.

CISA also added CVE-2022-22675, CVE-2022-22674, CVE-2021-45382 flaws to its catalog. The four vulnerabilities added to the catalog have to be addressed by federal agencies by April 25, 2022.

Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and other of your choice.
To nominate, please visit: https://forms.gle/4D4PygUVcNxFQ6iFA

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

[adrotate banner=”5″]

[adrotate banner=”13″]