Protect Applications from Spring4Shell. (CVE-2022-22965)

Of the three new Spring framework vulnerabilities, one of them (Spring4Shell) sounds worryingly similar to the recent high-severity exploit, Log4Shell. While the vulnerabilities discovered in the Spring framework do have some things in common with Log4Shell, there are also significant differences impacting how we should respond. Of the three Spring vulnerabilities, two are critical, allowing for remote code execution (RCE), while the third is a denial-of-service vulnerability.

Protect Your Web Applications from Spring4Shell

F5 Labs recently shared an article their insights on these Spring Framework vulnerabilities; exploring the weaknesses, how they are exploited, and some general steps to mitigate your risk. 

  • Spring Framework RCE (Spring4Shell): CVE-2022-22965
  • Spring Framework DoS: CVE-2022-22950
  • Spring Cloud RCE: CVE-2022-22963

To read the whole article and learn about active attacks exploiting these weaknesses head over to the F5 Labs article What Are the Spring4Shell Vulnerabilities? and then come back here to discuss how to implement security controls that mitigate your risk.

Read more on our Corporate Blog

You may prefer to read a general review, providing steps you can take to protect your environment and how F5 can help, https://www.f5.com/company/blog/understanding-addressing-spring4shell-vulnerabilities by BAMcHenry.

Updated Apr 07, 2022
Version 5.0
security

Was this article helpful?

No CommentsBe the first to comment