Spring Remote Code Execution Vulnerability

Spring Remote Code Execution Vulnerability

A new issue impacting Spring Core on Java 9 and newer could be the next Log4J. Here's what I know so far (mitigation and investigation).

Table of contents

I'd like to start by saying that I'm not a security expert. I also won't link to the exploit. This is a very fresh take on a new vulnerability but there's already confirmation from Sonatype. The current exploit seems to be limited to Spring on top of Tomcat but it probably can be adapted since the underlying vulnerability seems general enough.

The vulnerability only impacts Java 9 or newer so if you have an older version you should be safe from this specific exploit.

The core problem is a regression related to an old RCE which was fixed here.

The problem is that the Java 9 module system increased the surface area. So the original fix for the RCE is no longer sufficient.

Workaround

This is actually pretty simple... Cyber Kendra included a solution and it was also mentioned by Praetorian. It seems like a prudent thing to add and I suggest you incorporate it as soon as possible!

Detection

If you have Lightrun in your servers you can instantly detect if this is exploited by placing a snapshot in the BeanWrapperImpl class as I explain in this twitter video.