A newly discovered vulnerability in the Spring Cloud Function could have the potential of being the next Log4shell, according to security researchers today.
The vulnerability, dubbed “Spring4Shell,” is found in Spring Cloud Function versions 3.16, 3.22 and older. Spring is an open-source lightweight Java platform development framework. Millions use the service, hence the possibility that it could have a similar impact to that of Log4Shell.
An attacker can exploit the vulnerability through remote code execution and compromise the network Spring is running on. With that access, anything from data theft to bringing an entire site down is possible.
There’s conflict in the security community as to exactly how severe Spring4Shell is. There’s not even consensus on what to call it, with some referring to it as “SpringShell.” Some reports suggest that the vulnerability has a Common Vulnerability Scoring System score of 9.0, yet the Common Vulnerabilities and Exposures listing ranks the severity at medium.
What is clear is that Spring4Shell is a risk. Bleeping Computer reported that an exploit for the vulnerability was briefly leaked online and then removed. That it was then removed isn’t the important part; it’s that an exploit already exists.
Spring has released an update to address the vulnerability and users are urged to upgrade immediately.
“What made log4j such a problem is that it is often installed on appliances and other ‘headless’ devices that are not maintained by the end customer,” John Bambenek, principal threat hunter at information technology service management company Netenrich Inc., told SiliconANGLE. “It is unclear how true this will be for Spring, but any RCE issue should be go straight to the top of the pile for security teams to address.”
Mike Parkin, senior technical engineer at cyber risk management firm Vulcan Cyber Ltd., noted that there isn’t enough detailed information yet to determine how dangerous this vulnerability will be in the wild, and how widespread it will become if it does turn out to be a serious threat.
“Fortunately, there are some mitigations organizations can put in place, both in code using the Spring framework and at the WAF level, and Spring’s developer already appears to be working on a fix,” Parkin explained. “A potential long-term challenge if this turns out to be another log4j level problem, will be finding and updating all the projects that leverage the Spring framework.”
Jeff Costlow, chief information security officer at cloud-native cybersecurity solutions provider ExtraHop Networks Inc., said security teams need to understand immediately what software and devices might be affected and identify whether there are any vulnerable devices in their environment.
“This can be remarkably challenging because many organizations struggle to maintain an up-to-date inventory of devices, let alone possess the ability to detect software types and versions running on those devices,” Costlow said.