‘Spring4Shell’ bug in framework for Java programming draws widespread warnings

Web applications created in the Spring platform could leave users open to remote code execution, CISA and others are warning.
Spring, Spring4Shell

Security researchers are urging users of Spring — a popular framework for creating create web applications in the widely used Java programming language — to update their software due to a critical vulnerability discovered this week.

An alert Friday from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warns Spring users that a remote attacker “could exploit this vulnerability to take control of an affected system,” otherwise known as remote code execution (RCE).

Researchers are already calling the bug Spring4Shell, a name reminiscent of the major Log4Shell bug discovered in December in the open source Log4j logging software for websites. Spring4Shell is also open source software, which can complicate the response to a major bug.

The CISA alert does not specify how widely Log4Shell might be exploited so far. Researchers at Rapid7 said in an updated blog post Friday that it is still “a quickly evolving incident.”


Engineers at Spring, part of IT giant VMware, announced the vulnerability Thursday, roughly two days after reports noted that its existence had been leaked outside of usual vulnerability disclosure processes. Spring posted a guide to mitigation on Thursday.

The potential for exploitation of Spring4Shell can vary from project to project, researchers say, given that not all programmers might be using the same version of the Spring platform.

“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” researchers at Praetorian said. “However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.”

There are signs that Spring4Shell had drawn potentially malicious activity before this week. Researchers at 360 Netlab say they have evidence of activity as early as 10 days before Spring officially announced the bug. A familiar piece of malware subsequently has reared its head, 360 Netlab said. A variant of the Mirai malware “has won the race as the first botnet that adopted this vulnerability,” the researchers wrote.

Researchers are also tracking at least one other Spring vulnerability — in the Spring Cloud Function, not the core Spring platform — that is not considered to be as severe as Spring4Shell. Researchers at Lunasec also noted that there is an unconfirmed third Spring bug that is “not severe currently.”

Latest Podcasts