Critical RCE Bug in Spring Could Be the Next Log4Shell, Researchers Warn

The so-called ‘Spring4Shell’ bug has cropped up, so to speak, and could be lurking in literally millions of Java applications.

A critical security vulnerability has bloomed in the Spring Cloud Function, which could lead to remote code execution (RCE) and the compromise of an entire internet-connected host.

Researchers have dubbed it “Spring4Shell” due to its ubiquitous nature, a la the Log4Shell vulnerability discovered in December.

“Spring4Shell is another in a series of major Java vulnerabilities,” Stefano Chierici, a security researcher at Sysdig, noted in materials shared with Threatpost. “It has a very low bar for exploitation so we should expect to see attackers heavily scanning the internet. Once found, they will likely install cryptominers, [distributed denial-of-service] DDoS agents, or their remote-access toolkits.”

The bug (CVE-2022-22963, with a CVSS vulnerability-severity score of 9.0 out of 10) affects versions 3.1.6 and 3.2.2, as well as older, unsupported versions, according to a Tuesday advisory. Users should update to 3.1.7 and 3.2.3 in order to implement a patch.

Widescale Consequences Set to Sprout

Spring Cloud is an open-source microservices framework: A collection of ready-to-use components which are useful in building distributed applications in an enterprise. It’s widely used across industries by various

Read More: