Now that the dust has settled on the recently-discovered exploit of CVE-2022-22965, better known as the Spring4Shell vulnerability, we finally have a view of the impact exploitations of the vulnerability had on industries and regions. According to Israeli security company Check Point Software Technologies, approximately 16% of organizations globally were impacted by Spring4Shell vulnerability exploitations.
Spring4Shell became the buzzword in cybersecurity circles last week mainly because of three reasons. First, the Spring4Shell exploit was leaked before the Spring Framework’s developer could release patches.
In the past, multiple exploits and proof of concepts were leaked ahead of time. A serious one that comes to mind is CVE-2021-1675 (CVSS: 8.8), a vulnerability residing in Microsoft’s Print Spooler service (spoolsv.exe) in Windows. CVE-2021-1675 is one of the two PrintNightmare vulnerabilities that allow remote code execution. Its proof of concept was accidentally published and quickly deleted by Sangfor on GitHub, but not before malicious actors cloned it.
Like Spring, Microsoft also pushed out an out-of-band update back in June/July 2021 to contain the implications of a known exploit out in the wild. However, this didn’t send the cybersecurity community or the press into a fear frenzy.
So why did Spring4Shell? This brings us to the second reason why Spring4Shell generated more noise than it should have. Apart from the fact that CVE-2022-22965 is a critical flaw with a CVSS score of 9.8, it probably has something to do with its name: Spring4Shell.
The name Spring4Shell is derived from the Log4Shell vulnerabilities discovered late last year in the Java-based logging tool Log4j. Log4Shell’s magnitude and impact area are widespread enough to make security researchers assess that complete mitigation may take years.
Check Point referred to Log4Shell as a part of a “cyber pandemic†and stated thatOpens a new window Log4Shell “is clearly one of the most serious vulnerabilities on the internet in recent years.†However, data and opinions of researchers suggest that while Spring4Shell is serious, it isn’t severe enough to equate the two.
Flashpoint security researchers even advised not to use the name Spring4Shell. They said, “Although the ‘Spring4Shell’ name variation has gotten more traction in the media, we encourage others not to use it. The ‘4′ is strictly arbitrary, being used to reference the Log4Shell vulnerability, which derived its name from the Log4j library. Additionally, Spring4Shell implies that this issue is as severe as Log4Shell and current information does not support this.â€
Thirdly, days before the Spring4Shell exploit was leaked, Spring had just patched CVE-2022-22963, an RCE vulnerability existing in Spring Cloud Function. Confusion ensued about whether Spring4Shell is related to CVE-2022-22963 and other older ones.
So what was the true impact of Spring4Shell exploitations after the vulnerability was discovered and leaked?
Impact Area of Spring4Shell Exploitations
Spring4Shell indeed has cast a wide net with globally distributed exploitation attempts. In the first four days of Spring4Shell’s discovery, its exploitations impacted 16% or approximately one in six organizations.
A couple of days ago, Microsoft also confirmedOpens a new window the active exploitation of Spring4Shell. “Since the Spring Core vulnerability was announced, we have been tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities.†The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-22965 to its Known Exploited Vulnerabilities CatalogOpens a new window based on evidence of active exploitation.
Data Available Until April 3 (Weekend Following Discovery) | Source: Check PointOpens a new window
See More: Log4j Flaw: Top 10 Affected Vendors and Best Solutions to Mitigate Exploitations
Interestingly, the number of attempts remained low on Thursday despite the vulnerability being leaked on Wednesday. However, the frequency of attempted exploitations began increasing from Friday onwards.
Region-wise, Spring4Shell’s impact is the highest in Europe, at least until the start of this week.
Spring4Shell Region-Wise Impact | Source: Check Point
Industry-wise, software vendors, followed by the education and research sector, insurance and legal were targeted the most.
Spring4Shell Industry-Wise Impact | Source: Check Point
In the first weekend following the vulnerability’s discovery, there have been nearly 37,000 exploitation attempts. This isn’t a small number but not much compared to Log4Shell exploitation attempts, 845,000 of which were thwarted in the week following the discovery of the three vulnerabilities in Log4j.
By December 12, 2021, Sophos also discovered hundreds of thousandsOpens a new window of remote code execution attempts. Check Point said it prevented 4.3 million intrusion attemptsOpens a new window by December 20, 2021.
The exploitation of Spring4Shell has been relatively low compared to Log4Shell. In the latter’s case, the vulnerabilities exist by default in the Log4j framework, whereas the exploitation of Spring4Shell requires specific implementation requirements such as:
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
- spring-webmvc or spring-webflux dependency
Nevertheless, organizations should prioritize patching the critical flaw by upgrading to the latest Spring Framework and Apache Tomcat versions. For those unable to upgrade, Spring said downgrading to JDK 8 and setting the disallowedFields on WebDataBinder globally can serve as temporary workarounds.
The technical details of the attack vector and mitigations are published by MicrosoftOpens a new window , SpringOpens a new window , and Spring’s parent company VMwareOpens a new window .
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!