![]() ![]() Spring4Shell vulnerability allows attackers to bypass the incomplete patch for the CVE-2010-1622, a 12-year old code injection vulnerability found in the Spring Core Framework. The vulnerability is named Spring4Shell due to its similarities to Log4Shell, an RCE vulnerability found in Apache Log4j that resulted in mass exploitation in December 2021. Remote code execution vulnerability in Spring Core with the JDK version 9 or higher is caused by unsafe deserialization of passed arguments. ![]() The Spring framework is one of the most popular frameworks in the Java ecosystem. What is Spring4Shell Remote Code Execution Vulnerability? Picus Labs has updated the Picus Threat Library with attack simulations for Spring4Shell vulnerability exploitation attacks affecting Spring Core with the JDK version 9 or higher. Since many Tomcat applications are vulnerable to Spring4Shell attacks, it is also advised to update the Tomcat to version 10.0.20, 9.0.62, or 8.5.78. Users are advised to apply the patches to update the Spring Framework to version 5.3.18 or 5.2.20. The vulnerability received the CVE number CVE-2022-22965, and it has a CVSS score of 9.8 (Critical). We updated this blog post on April 6th, 2022, and added vendor-specific actionable mitigation signatures. ![]() Spring4Shell is a remote code execution (RCE) via deserialization vulnerability found in Spring Core on JDK9+. On 30th March 2022, a zero-day vulnerability was discovered in the Spring Core module of the Spring Framework. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |