- ‘잘 설계된 프롬프트라도 이식성 떨어져’···IBM, 프로그래밍하는 ‘생성형 컴퓨팅’이 대안
- Google just gave Gmail a major AI upgrade, and it solves a big problem for me
- Your Google Gemini assistant is getting 8 useful features - here's the update log
- I recommend this budget OnePlus phone over most low-cost devices - especially at $70 off
- Save $750 on the HP Envy Laptop 17 when you buy directly from HP
No Patch Available Yet for Critical SpringShell Bug
Security researchers are warning of a new critical remote code execution bug in a popular Java developer framework, although reports that it could be the next Log4Shell may be overblown.
Dubbed “SpringShell” by some in the community, the vulnerability affects the spring-core artifact, a popular framework used extensively in Java applications, specifically with JDK9 or newer running.
“The vulnerability affects anyone using spring-core, a core part of the Spring Framework, to perform logging, and anyone using software built on Spring, which is a large population of enterprise Java software,” explained Sonatype.
“It stems from a previously exploited issue (CVE-2010-1622) in Spring that was patched in the past, but became vulnerable again when used with JDK9.”
Sonatype warned that older versions of Spring which allow Java reflection are often exposed to RCE bugs like this. Ultimately, exploitation could allow an attacker to poison a payload aimed at a Spring application and gain full remote control of the system.
A separate blog post from Praetorian said that in certain configurations, exploitation of SpringShell is fairly straightforward as an attacker will only need to send a crafted HTTP request to a vulnerable system. Other configs may require more work to understand which payloads are effective, it added.
Spring is apparently similar in scale to Struts, the framework exploited in the notorious Equifax hack. The bug is also reminiscent of the Log4Shell vulnerability published in December, according to Sonatype.
However, some experts have poured cold water on suggestions that this bug could be as dangerous as that found in the Log4j utility.
“More details are required, but current information suggests in order to exploit the vulnerability, attackers will have to locate and identify web app instances that actually use the DeserializationUtils, something already known by developers to be dangerous. If proven true, SpringShell’s impact has the potential of being misconstrued as being more impactful or widespread than it may be,” argued Flashpoint.
“Although some may compare SpringShell to Log4Shell, it is not similar at a deeper level.”
If limited to JDK9 implementations as early indications suggest, SpringShell will also be less prevalent than Log4Shell, the firm added.
Spring developers are now locked in a race against time with the cybercrime community, as the former work to rush out a patch before a weaponized exploit becomes available.
In the meantime, Praetorian has listed some temporary mitigations.
