Hacker News new | ask | show | jobs
by vips7L 1541 days ago
I'm skeptical as well because everyone is saying they've reproduced it, but there's no CVE and none of them want to post the source code to reproduce it. It's all "use this closed source docker image" or "it was in this now deleted github" or "it was in this now deleted twitter leak".
3 comments
richbell 1540 days ago
> but there's no CVE

The notion of a National Vulnerability Database is noble, but creating a CVE is an incredibly slow moving and bureaucratic process. In situations like this, or Log4Shell, information evolves rapidly and is often outdated by the time it makes it to NVD. Log4Shell specifically was a disaster, where the original advisory text contained incorrect information that was corrected relatively quickly by Apache but did not update in NVD for weeks. This actively hurt the remediation efforts as people treated the description in NVD as the authoritative source for information and ignored evidence to the contrary.

link
freeqaz 1541 days ago
Nobody wants to hand a bunch of blackhats a working exploit without there being a patch available. But yeah, at some point you have to accept that the blackhats have it and it's "more ethical" to just start handing out the exploit POC so that companies can start testing their ability to detect + remediate the issue.

It's the whole "responsible disclosure" dance. Finding a 0-day is exciting as a researcher, but you have to keep your mouth shut while a fix gets built and tested. (Google's Project Zero gives a 90 day grace period, for example)

link
EE84M3i 1541 days ago
The post says "there is a public proof-of-concept available." If that's true, just link to it. The cat's already out of the bag.
link
freeqaz 1541 days ago
Thanks for pointing that out -- I didn't realize we missed adding the link! It's in a repo on GitHub, and we were banging on it to verify the exploit prerequisites.

I'll go do that as soon as I sit down again.

link
cyberpunk 1540 days ago
I still can't find it.. Got the link to the repo?
link
freeqaz 1540 days ago
I'll ask my engineers to post the one he wrote. He did put more details into the article, so go check that. Here is a repo with a POC though: https://github.com/TheGejr/SpringShell
link
vips7L 1540 days ago
That’s not really a POC though. That’s not a Spring Application I can run and reproduce on. That’s just a py script.
link
hsbauauvhabzb 1541 days ago
How is handing out a poc 0day ethical when it’s leaked but difficult to find? I’d rather see it censored until at least a patch drops + grace period.

I guess it’s a case by case basis, adding app-specific waf rules will be handy, but that only matters if exploitation patterns are unique per applications, otherwise generic rules could be published.

link
EdwardDiego 1540 days ago
The whole basis of this claim was a commit in a merged PR yeah?
link
richbell 1540 days ago
No. There was a credible report, but one of the blogs (Cyber Kendra) linked to a commit that mentioned RCE off hand and said "it looks like they're cleaning up".

https://spring.io/blog/2022/03/31/spring-framework-rce-early...

link
fulafel 1540 days ago
Lack of an assigned CVE is a really bad reason to discount anything, it's a bureucratic process with various tangential limitations, rules and delays.
link
krzyk 1540 days ago
CVEs are frequently created for minor issues, like the recent Jackson bug that has very specific (and not frequent) case.
link