A newly-discovered zero-day vulnerability known as Spring4Shell could have “a larger impact” than Log4j. Spring4Shell is a zero-day remote code execution (RCE) vulnerability in the Spring framework that was discovered after a Chinese security researcher leaked a proof-of-concept (PoC) exploit on GitHub.
In light of the exploit, security experts have urged businesses to immediately undertake up-to-date inventories of all the devices in their environment to determine the potential blast radius of vulnerability.
Jeff Costlow, a security technologist and leader with over 20 years experience, comments:
“When zero day exploits like Spring4Shell come to light, organizations immediately are thrust into panic mode, scrambling to determine the potential blast radius of vulnerability. Given the broad use of Apache Tomcat by developers, this remote code execution vulnerability has huge potential impact. Security teams need to immediately understand what software and devices might be affected and identify whether there are any vulnerable devices in their environment. This can be remarkably challenging because many organizations struggle to maintain an up-to-date inventory of devices in their environment, let alone have the ability to detect software types and versions running on their business devices.
We know at this point that the remote code execution vulnerability is present in the Java Spring framework, but it may also be present in other Java applications. It affects Tomcat, a very common connector that joins together a webserver and the Java application. We suspect there may be other vulnerable applications, but are focusing on the attacks that are in the wild. We have reports of scanning already for this vulnerability so it is only a matter of time before a fully weaponized POC is leveraged. This is a severe remote code execution zero day that can be accessed over HTTP or HTTPS. The use of encrypted protocols to exploit this vulnerability, as well as others like Log4Shell, underscores the degree to which encryption is being weaponized by cyberattackers. While open source code is truly the building block of our internet and software universe, this vulnerability yet again shines a light on the issue of such an ubiquitous framework in the context of cybersecurity.”