Attackers are exploiting a zero-day vulnerability, dubbed as Spring4Shell, in the Spring Core Java framework. Exploit code is publicly available for this remote code execution vulnerability. The bug can be fully weaponized and abused on a larger scale.
• A zero-day remote code execution (RCE) vulnerability has been identified in Java Spring framework tracked as CVE-2022-22965 with CVSS score 9.8.
• The Vulnerability is also known as “Spring4Shell” and “SpringShell”. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
• VMware Spring is an open-source Java toolkit for building powerful Java apps, including cloud-based apps. One of the main components is Spring Core, which provides powerful features such as inversion of control and dependency injection. The vulnerability takes advantage of an issue in this part to execute arbitrary code on the host or container.
• The vulnerability is being exploited in the wild after a Chinese-speaking developer posted exploit code for the zero-day. Using the exploit code unauthenticated attackers could trigger RCE on target systems.