CISA warns of active exploitation of Spring4Shell’s critical security vulnerability

Organ Network security and US Infrastructure (CISA) on Monday added a recently disclosed remote code execution (RCE) vulnerability affecting Spring Framework, to its List of Known Exploits based on “proof of active mining.”

The critical vulnerability, assigned identifier CVE-2022-22965 (CVSS score: 9.8) and named “Spring4Shell”, affects Spring model-view-controller (MVC) and Spring WebFlux runs on Java Development Kit 9 or later.

“The exploit requires a DataBinder-enabled endpoint (e.g. a POST request that automatically decodes data from the request body) and is highly dependent on the servlet container for the application,” the forensic researchers said. Anthony Weems and Dallas Kaman noted last week.

While the exact details of the native abuse are still unclear, information security firm SecurityScorecard says “this vulnerability scanning activity has been observed coming from the usual suspects such as the IP space of Russia and China.”

Similar scanning activities were detected by Unit42 of Akamai and Palo Alto Networks, with efforts leading to the implementation of web shells to access backdoors and execute arbitrary commands on the server with the goal of distribution software other malicious or spread within the target network.

“In the first four days after the vulnerability broke out, 16% of organizations worldwide were affected by exploit attempts,” said Check Point Research, which also detected 37,000 related attacks. to Spring4Shell for the weekend.

The Microsoft 365 Defender Threat Intelligence team also participated, saying it “monitored a small number of exploit attempts on our cloud services for Spring Cloud and Spring Core vulnerabilities. ”

According to statistics published by Sonatype, Spring Framework versions that are likely to be attacked account for 81% of the total number of times download from the Maven Central repository since the issue was raised on March 31st.

Cisco, which is actively investigating its product line to determine which of its products may be affected by the security vulnerability, has confirmed that three of its products are affected –

Cisco Crosswork Zero Touch (ZTP) Crosswork Optimization Engine and Cisco Edge Intelligence

For its part, VMware also considers three of its products to be vulnerable, offering patches and workarounds where possible –

VMware Tanzu Application Services for VMware Tanzu Operations Manager and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) virtual machines

“A malicious actor with network access to an affected VMware product could exploit this issue to gain full control of the target system,” VMware said in its advisory.

Also added to the catalog by CISA are two zero-day bugs patched by Apple last week (CVE-2022-22674 and CVE-2022-22675) and a critical flaw in the D-Link router (CVE-2021 -45382) has been actively weaponized by the Beastmode Mirai-based DDoS campaign.

Pursuant to the Binding Operations Directive (BOD) issued by CISA in November 2021, Federal Civil Service Executive Branch (FCEB) agencies are required to fix identified vulnerabilities by May 25. 4 year 2022.

.