Microsoft publishes a guide for protecting against the SpringShell RCE vulnerability
A recent vulnerability was found in the Spring Framework for Java Development Kit (JDK) version 9.0 or later. Similarly to the Log4j vulnerability, it's critical because it allows remote code execution on systems, without the need to compromise them first.
The vulnerability is in the Spring Core (or Spring4Shell) that can be exploited when an attacker sends a specially crafted query to a web server using the framework.
Systems could be impacted if using the following components:
The Microsoft Spring4Shell blog
The Spring Framework Announcement and Updates
The vulnerability is in the Spring Core (or Spring4Shell) that can be exploited when an attacker sends a specially crafted query to a web server using the framework.
Systems could be impacted if using the following components:
- JDK 9.0 or later;
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier;
- Apache Tomcat as the Servlet container;
- Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance;
- Tomcat has spring-webmvc or spring-webflux dependencies.
The following non-malicious command can be used to determine vulnerable systems:
$ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0
A host that returns an HTTP 400 response should be considered vulnerable to the attack.
Pro CISO's Vulnerability Management services can scan your systems to identify affected instances that require patching.
The Microsoft Spring4Shell blog
The Spring Framework Announcement and Updates