Tenable expert clears up confusion about RCE errors in VMware product

US cloud computing and virtualization technology company VMware has released an advisory on a remote exploitable vulnerability in Spring Cloud, a framework for implementing business logic through functions.

Another flaw in Spring Core, which can also be exploited remotely, has come to light and has been named Spring4Shell or SpringShell.

There has been a tendency to confuse Spring4Shell with the Log4Shell vulnerability due to the similarity in nomenclature.

However, Satnam Narang, a staff investigator at security firm Tenable, said there was no connection at all.

“On March 29, VMware published an advisory for a vulnerability in Spring Cloud Function (CVE-2022-22963), a framework for implementing business logic through functions,” he explains.

The vulnerability currently has a CVSSv3 rating of 5.4. However, because it is considered a remote code execution flaw that could be exploited by an unauthenticated attacker, it appears that the CVSSv3 score has the true impact may not reflect.”

log4shell turned up by the end of 2021 and was overhyped by the infosec industry, with nothing above the scale of the expected attacks. It is an unauthenticated third-party code exploit that allows full takeover of systems running versions 2.0-beta9 to 2.14.1 of the Log4j library.

Narang said there were reports that mixed CVE-2022-22963 with a separate, alleged vulnerability in Spring Core remote code execution called Spring4Shell or SpringShell.

“There is no CVE assigned to Spring4Shell, adding to the confusion. While both vulnerabilities are critical vulnerabilities in remote code execution, they are two different vulnerabilities that affect different fixes,” he noted.

While CVE-2022-22963 existed in Spring Cloud Function, a serverless framework that is part of Spring Cloud, Spring4Shell existed in the Spring Framework, a programming and configuration model for Java-based business applications.

“Despite the naming convention that bears similarity to Log4Shell, Spring4Shell is unrelated and does not appear to be as large as the Log4Shell,” Narang added.

“Spring4Shell has some non-standard configuration requirements, although it is unclear which applications implement them. As with Log4Shell, it will take some time to know the full scope and impact of Spring4Shell, but we can say that it is not as important as Log4Shell .

“For CVE-2022-22963, there are patches available for specific versions of Spring Cloud Function. There is currently no patch for Spring4Shell, making it a zero day, although we expect more details to be revealed shortly.”

Dan Murphy, a leading architect at web application security provider Invicti, said: “While the Spring4Shell vulnerability is serious and needs to be patched, our initial findings indicate that this will not be the next Log4Shell incident.

“What we know about the severity of Spring4Shell is that the current exploits circulating depend on conditions that are not the standard for most modern Spring applications.

Log4Shell, by comparison, also impacted the Java ecosystem, but was more widely exploitable. That said, organizations still need to follow standard best practices and create a plan for patching. The underlying issue is still there and could potentially be exploited in the future in undiscovered ways.”

Leave a Comment