The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed CVE-2022-22965 (aka Spring4Shell, CVSS score: 9.8) flaw in the Spring Framework, along with three other issues, to its Known Exploited Vulnerabilities Catalog.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
The Spring4Shell issue was disclosed last week, it resides in the Spring Core Java framework. An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware.
The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.
The flaw impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.
Spring4Shell impacts VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
The exploitation of this flaw could allow a remote attacker to execute arbitrary code on vulnerable systems. Researchers from Palo Alto Networks’ Unit42 and Akamai have observed the issue being exploited in the wild to deploy malicious code.
Please vote Security Affairs as best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and other of your choice.
To nominate, please visit: https://forms.gle/4D4PygUVcNxFQ6iFA
(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)