Remote Code Execution (Spring4Shell)

Severity: Critical

Summary#

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability mainly affecting Spring MVC or Spring WebFlux applications on JDK 9+.

Impact#

The vulnerability allows attackers to execute arbitrary Java code on the target system. The attacker may also be able to execute arbitrary system commands.

Exploit of the vulnerability is known widely and should be addressed as soon as possible.

Remediation#

Affected applications should update to the latest available version of Spring. If you are using version 3.5.X you should update to version 3.5.18 or higher. Affected users with Spring 5.2.X should at least update their installations to 5.2.20 or above. If no immediate update to the higher version is possible, you can also use the workaround provided in the official spring announcement until the update can be rolled out.

Classifications#

ISO27001-A.14.2.5, HIPAA-164.306(a), 164.308(a), PCI v3.2-6.5.1, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, OWASP 2017-A1, CAPEC-242, CWE-94

Remote Code Execution (Spring4Shell)

Related Articles

Build your resistance to threats. And save hundreds of hours each month.