Researchers on Wednesday found a new "high" vulnerability in the Spring Cloud Function dubbed Spring4Shell that could lead to a remote code execution (RCE) that would let attackers execute arbitrary code on a machine and compromise the entire host.
Spring is an open source lightweight Java platform application development framework used by millions of developers using Spring Framework so they can create high-quality, easily testable code.
In a blog post, researchers from Sysdig said this is the second very high vulnerability discovered in the last several months after the Log4Shell remote code execution vulnerability was found in the Log4j Java library.
The researchers said according to the CVSS system, it scores 9.0 as high severity. Exploiting the vulnerability it’s possible to achieve the total compromise of the host or container executing arbitrary commands. The vulnerability — CVE-2022-22963 — impacts Spring Cloud Function version 3.1.6, 3.2.2, and older, unsupported versions.
There isn’t enough detailed information yet to determine how dangerous this vulnerability will be in the wild, and how widespread it will become if turns out that's it's a serious threat, said Mike Parkin, senior technical engineer at Vulcan Cyber. Fortunately, Parkin said there are some mitigations organizations can put in place, both in code using the Spring framework and at the WAF level, and Spring’s developer already appears to be working on a fix.
“A potential long-term challenge if this turns out to be another Log4j-level problem will be finding and updating all the projects that leverage the Spring framework,” Parkin said. “We are seeing this ‘find all the instances’ issue with Log4j and could potentially see it here, too.”