Posted by on Wednesday, March 30, 2022

Two vulnerabilities affecting different Spring projects were identified this week. Here’s what you need to know about Spring4Shell and CVE-2022-22963.

The Internet is buzzing with talk about two separate vulnerabilities related to different Spring projects. The two are not related, but have been confused because both vulnerabilities were disclosed at nearly the same time.

CVE-2022-22963

The first is CVE-2022-22963, tracked in the Black Duck Knowledgebase as BDSA-2022-0850. This is a remote code execution vulnerability in Spring Cloud Function. Issued with a medium severity by vendor VMWare (https://tanzu.vmware.com/security/cve-2022-22963) researchers have since found that achieving remote code execution is possible. An upgrade patch already exists, so affected users are urged to upgrade as soon as possible.

Spring4Shell

For the second vulnerability, a CVE identifier has not been assigned yet. This is the vulnerability many security researchers have been calling Spring4Shell. Under certain circumstances, it allows an attacker to run arbitrary code, but the ease of exploitation varies with how the code running on Spring Boot is written, and how Spring Boot is run. Synopsys CyRC researchers will continue to analyze the impact and exploitability of Spring4shell and provide updates as soon as they come available.

Manage your security risks

Regardless of how Spring4Shell evolves, these two vulnerabilities highlight the importance of knowing what open source components you are using and keeping on top of vulnerabilities as they are disclosed.

A software composition analysis (SCA) solution like Black Duck does exactly this. It can build a software Bill of Materials (SBOM) for an application and proactively notify you when new vulnerabilities are disclosed in components you have used.

Subscribe to the blog to stay updated on this breaking story

Subscribe today