[HN Gopher] Spring Core on JDK9 is vulnerable to remote code exe...
___________________________________________________________________
Spring Core on JDK9 is vulnerable to remote code execution
Author : groundshark
Score : 21 points
Date : 2022-03-30 20:26 UTC (2 hours ago)
(HTM) web link (www.praetorian.com)
(TXT) w3m dump (www.praetorian.com)
| skered wrote:
| JDK9+? Not just 9.
| invokestatic wrote:
| I am still deeply skeptical that this exploit really exists, or
| if it does, it is extremely exaggerated. I can't really
| articulate the reasons why. Part of it is the fact that a lot of
| the people reporting on it self-admit that they are unfamiliar
| with Java and Spring. One "PoC" repo I've seen is just simple API
| misuse. API misuse is a CVE in the application that does the
| misusing, NOT the library that is misused (in this case spring).
|
| Something else is that very soon after there was a /hint/ of a
| log4j exploit, we saw rapid and evolving exploitation in the
| wild. We have nothing like that happening now, since this news
| first broke, what, 12 hours ago?
|
| Then there's also the suspicion where I feel the LunaSec people,
| one of the first groups to report on this, are desperately trying
| to re-catch the fire they caught when they first reported log4j.
| I'm sure that was amazing for marketing their company. Problem
| is, I think reporting on this before there is really indication
| of a real issue reduces the credibility of them as competent
| security researchers.
|
| Of course, I may come back to eat my words.
| groundshark wrote:
| Possible 0-day RCE impacting Spring applications.
| EdwardDiego wrote:
| Possible...
| freeqaz wrote:
| (Author that named "Log4Shell" here)
|
| FYI, this is confusing because there are 2 different RCEs that
| have been published within the last 24 hours. One has a CVE and
| the other doesn't.
|
| OP's post by Praetorian is discussing the RCE _without a CV_ ,
| being called "Spring4Shell", that affects Spring Core and is more
| likely more widespread/severe. It's pretty similar to the Apache
| Struts vuln that popped EquiFax a few years ago. (a Class Loader
| Manipulation vuln)
|
| The other RCE affects Spring Cloud Function and has been given
| CVE-2022-22963.
|
| We wrote a post[0] with info on both CVEs that references this
| Praetorian post under the "Remediation" section. We also added
| more information about the exploit scenarios to help push the
| ball forward for determining how widely exploitable this is going
| to be.
|
| (There is a 3rd possible one too, but it's still unconfirmed.)
|
| Basically, the authors of Spring Core tweeted[1] that there
| wasn't a vuln and that has added to the chaos of this. There is a
| vuln here. It's not as bad as Log4Shell, but it's still bad and
| likely widely exploitable given how popular Spring Core is. There
| are more steps required for exploitation so kids on Minecraft
| won't be griefing each other with it, but that won't stop the
| blackhats from weaponizing this quickly.
|
| So if you're using Spring Core or Spring Cloud Function, it's a
| good idea to stay up-to-date on this stuff because it's moving
| pretty quick. If you already looked earlier this morning, a lot
| has changed (like this Praetorian post).
|
| It'll be a fun weekend for security teams everywhere!
|
| 0: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
|
| 1: https://twitter.com/hacksilon/status/1509117953064812547
| olliej wrote:
| Looks like another "I'm in a 'safe' language, so can do unsafe
| things" crossed with the standard object deserialization error of
| default allowing any class to be instantiated.
|
| The temporary fix that they list seems to imply that the current
| APIs don't allow specifying a finite list of allowed classes?
| scanr wrote:
| "This vulnerability allows an unauthenticated attacker to execute
| arbitrary code on the target system.".
|
| Interesting that the CVE has been around for so long.
___________________________________________________________________
(page generated 2022-03-30 23:00 UTC)