Article: Spring patches leaked Spring4Shell zero-day RCE vulnerability

Spring released emergency updates to fix the ‘Spring4Shell’ zero-day remote code execution vulnerability [CVE-2022-22965], which leaked prematurely online before a patch was released.

Yesterday, an exploit for a zero-day remote code execution vulnerability in the Spring Framework dubbed ‘Spring4Shell’ was briefly published on GitHub and then removed.

However, as nothing stays hidden on the Internet, the code was quickly shared in other repositories and tested by security researchers, who confirmed it was a legitimate exploit for a new vulnerability.

h0w1tzr’s Commentary: This only affects Java Enterprise Edition (Java EE) applications that are using the Spring framework. The Spring framework comprises several modules such as IOC, AOP, DAO, Context, ORM, WEB MVC etc. This is not nearly as scary as Log4Shell, but if you are using Spring in any of your applications, now would be a good time to upgrade.


Leave a Reply