Spring4Shell: What to Expect and How to Prepare

Spring4Shell: What to Expect and How to Prepare

CVE-2022-22965, a zero-day, remote code execution (RCE) vulnerability published on March 31st, 2022, has sparked concerns that a wave of malicious attacks could be launched against vulnerable applications. The vulnerability in Spring, one of the most popular open-source frameworks for Java applications, is also known as “Spring4Shell” or “SpringShell.” It affects Spring MVC (spring-webmvc) and Spring WebFlux (spring-webflux) when running on JDK 9 or above. 

Known variants of the existing exploit rely on a few specific conditions. However, the conditions are fairly common and as time goes on, experts believe new forms of attack will emerge.

Spring4Shell: What to Expect

Due to the widespread use of the Spring Framework and the severity of the vulnerability, CVE-2022-22965 has been given a critical (CVSS score of 9.8) rating. The Spring team emphasized in an announcement that “the nature of the vulnerability is general, and there may be other ways to exploit it”. 

While the new versions of Spring Boot resolve all known vulnerabilities, additional vulnerabilities may still be found. The December 2021 Log4j incident provides a recent example of the emergent nature of vulnerabilities. Starting with CVE-2021-44228 published on December 10, 2021, and followed by a string of vulnerabilities that were published within days of each other. 

As with the Log4j vulnerabilities there are likely to be numerous targeted attacks, necessitating numerous patches. More updates are sure to follow as new ways to exploit the vulnerability come to light. It is therefore extremely important to monitor what’s happening and be aware of relevant dependency updates. Dependency automation tools such as Mend Renovate will monitor updates and notify you automatically.

Learn More About Spring4Shell Zero-Day Vulnerability

Spring4Shell: How to Prepare

Experience with the Log4j vulnerabilities has taught us that the best-prepared companies were able to completely mitigate and remediate their risk within hours of the announcement. Their success in dealing with the challenge can be attributed to their dependency management automation. Implementing  dependency management best practices pays off in fire drills such as Spring4Shell, as companies can upgrade dependencies with the click of a button. Otherwise, understanding where spring is installed and then analyzing the risk can take hours upon hours. 

Using tools such as Mend Renovate to automate dependency updates, combined with Merge Confidence data crowdsourced from hundreds of thousands of repositories with Renovate installed, can cut the time needed to confidently update all vulnerable occurrences. from days to minutes.  

Mend Renovate Can Help

Mend Renovate is a dependency update automation tool. It scans your software, discovers dependencies, automatically checks to see if an updated version exists, and helps you by submitting automated pull requests. With more than one hundred million downloads, Mend Renovate has already identified and mitigated the Spring4Shell vulnerability on thousands of repos around the world.

As a response to Spring4Shell, Mend Renovate was recently updated to open a PR containing a fix to SpringShell for users with repos containing the vulnerable spring libraries. Early data at Mend shows that only 33 percent of affected organizations have already fixed some or all occurrences of the vulnerability. More than  90 percent of the affected libraries are brought into applications as transitive dependencies, meaning they are a dependency of one of the explicitly declared dependencies of the application. As a result, many vulnerable organizations may well be unaware they are affected by Spring4Shell, as they don’t see any Spring libraries in their dependency list.

Incorporating dependency automation into your workflow ensures agility and reduces risk in future situations where you need to act fast. 

To remediate existing Spring-related vulnerabilities and mitigate the risk of future zero-day vulnerabilities, install Mend Renovate. It’s free. >>

Rhys Arkins / About Author

Rhys Arkins is Vice President of Product Management, responsible for developer solutions at Mend.io. He was the founder of Renovate Bot – an automated tool for software dependency updating, which was acquired by Mend.io in 2019. Rhys is particularly fond of automation and a firm believer in never sending humans to do a machine’s job.