[HN Gopher] Spring Core on JDK9 is vulnerable to remote code exe... ___________________________________________________________________ Spring Core on JDK9 is vulnerable to remote code execution Author : groundshark Score : 21 points Date : 2022-03-30 20:26 UTC (2 hours ago) (HTM) web link (www.praetorian.com) (TXT) w3m dump (www.praetorian.com) | skered wrote: | JDK9+? Not just 9. | invokestatic wrote: | I am still deeply skeptical that this exploit really exists, or | if it does, it is extremely exaggerated. I can't really | articulate the reasons why. Part of it is the fact that a lot of | the people reporting on it self-admit that they are unfamiliar | with Java and Spring. One "PoC" repo I've seen is just simple API | misuse. API misuse is a CVE in the application that does the | misusing, NOT the library that is misused (in this case spring). | | Something else is that very soon after there was a /hint/ of a | log4j exploit, we saw rapid and evolving exploitation in the | wild. We have nothing like that happening now, since this news | first broke, what, 12 hours ago? | | Then there's also the suspicion where I feel the LunaSec people, | one of the first groups to report on this, are desperately trying | to re-catch the fire they caught when they first reported log4j. | I'm sure that was amazing for marketing their company. Problem | is, I think reporting on this before there is really indication | of a real issue reduces the credibility of them as competent | security researchers. | | Of course, I may come back to eat my words. | groundshark wrote: | Possible 0-day RCE impacting Spring applications. | EdwardDiego wrote: | Possible... | freeqaz wrote: | (Author that named "Log4Shell" here) | | FYI, this is confusing because there are 2 different RCEs that | have been published within the last 24 hours. One has a CVE and | the other doesn't. | | OP's post by Praetorian is discussing the RCE _without a CV_ , | being called "Spring4Shell", that affects Spring Core and is more | likely more widespread/severe. It's pretty similar to the Apache | Struts vuln that popped EquiFax a few years ago. (a Class Loader | Manipulation vuln) | | The other RCE affects Spring Cloud Function and has been given | CVE-2022-22963. | | We wrote a post[0] with info on both CVEs that references this | Praetorian post under the "Remediation" section. We also added | more information about the exploit scenarios to help push the | ball forward for determining how widely exploitable this is going | to be. | | (There is a 3rd possible one too, but it's still unconfirmed.) | | Basically, the authors of Spring Core tweeted[1] that there | wasn't a vuln and that has added to the chaos of this. There is a | vuln here. It's not as bad as Log4Shell, but it's still bad and | likely widely exploitable given how popular Spring Core is. There | are more steps required for exploitation so kids on Minecraft | won't be griefing each other with it, but that won't stop the | blackhats from weaponizing this quickly. | | So if you're using Spring Core or Spring Cloud Function, it's a | good idea to stay up-to-date on this stuff because it's moving | pretty quick. If you already looked earlier this morning, a lot | has changed (like this Praetorian post). | | It'll be a fun weekend for security teams everywhere! | | 0: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ | | 1: https://twitter.com/hacksilon/status/1509117953064812547 | olliej wrote: | Looks like another "I'm in a 'safe' language, so can do unsafe | things" crossed with the standard object deserialization error of | default allowing any class to be instantiated. | | The temporary fix that they list seems to imply that the current | APIs don't allow specifying a finite list of allowed classes? | scanr wrote: | "This vulnerability allows an unauthenticated attacker to execute | arbitrary code on the target system.". | | Interesting that the CVE has been around for so long. ___________________________________________________________________ (page generated 2022-03-30 23:00 UTC)