| (Author that named "Log4Shell" here) FYI, this is confusing because there are 2 different RCEs that have been published within the last 24 hours. One has a CVE and the other doesn't. OP's post by Praetorian is discussing the RCE dubbed "Spring4Shell". It's the RCE without a CVE yet, hence the name, and it affects Spring Core. It's likely fairly widespread/severe, but the "mitigating details" are still unknown. That said, it's very similar to the Apache Struts vuln that popped EquiFax a few years ago. (a Class Loader Manipulation exploit) So there is already some tooling available to weaponize it. The other RCE affects Spring Cloud Function and has been given CVE-2022-22963. We wrote a post[0] with info on both CVEs that references this Praetorian post under the "Remediation" section. We also added more information about the exploit scenarios to help push the ball forward for determining how widely exploitable this is going to be. (There is a 3rd possible one too, but it's still unconfirmed.) Basically, the authors of Spring Core tweeted[1] that there wasn't a vuln and that has added to the chaos of this. There is a vuln here. It's not as bad as Log4Shell, but it's still bad and likely widely exploitable given how popular Spring Core is and how some Java devs[2] have confirmed that the exploitable configuration is a "common pattern" in real-world usage. With the vuln there are more steps required for exploitation. That means kids on Minecraft won't be griefing each other with it, but that won't stop the blackhats from weaponizing this quickly. After all, this is a very similar attack to previous ones in Struts[3]. So if you're using Spring Core or Spring Cloud Function, it's a good idea to stay up-to-date on this stuff because it's moving pretty quick. If you already looked earlier this morning, a lot has changed (like this Praetorian post). It'll be a fun weekend for security teams everywhere! 0: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ 1: https://twitter.com/hacksilon/status/1509117953064812547 2: https://twitter.com/pwntester/status/1509298152691671046 3: https://www.exploit-db.com/exploits/33142 |