The Cybersecurity and Infrastructure Security Agency has added the Spring4Shell remote code execution vulnerability impacting the Spring Framework to its Known Exploited Vulnerabilities Catalog, VentureBeat reports.
Federal agencies have been urged by CISA to patch the critical flaw, tracked as CVE-2022-22965, by April 25. Spring noted that several requirements have to be met, including the use of Apache Tomcat, for the bug to be exploited. Meanwhile, VMware has already issued patches to address the Spring4Shell vulnerability in its VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition. "A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system," said VMware. However, fixes for impacted TKGI versions are yet to be issued. While numerous deployments may have been impacted by Spring4Shell, mitigating circumstances have limited vulnerable deployments, according to Sonatype Field Chief Technology Officer Ilkka Turunen. "That said, with any big project, there is a ton of legacy out there that can result in older and unmaintained systems becoming potential entry points," Turunen said.
Despite multiple high-impact vulnerabilities and repeated warnings from Microsoft, government agencies and news media, there are likely hundreds of thousands of internet-connected servers (at least) running older, exposed versions of Exchange today.
Microsoft’s security sales reached a historical high in 2022, delivering more than $20 billion in annual revenue. This comes amid industry debate about the company’s position as both targeted tech giant and security vendor.