https://talktotheduck.dev/spring-remote-code-execution-vulnerability Menu [svg]Talk to the DuckTalk to the Duck [svg]Blog's logoBlog's logo HomeLightrunMembers [svg]Spring Remote Code Execution VulnerabilitySpring Remote Code Execution Vulnerability Spring Remote Code Execution Vulnerability A new issue impacting Spring Core on Java 9 and newer could be the next Log4J. Here's what I know so far (mitigation and investigation). [svg]Shai Almog's photoShai Almog's photo Shai Almog *Mar 31, 2022* 1 min read Listen to this article Your browser does not support the audio element.SPEED1X Table of contents * Workaround * Detection I'd like to start by saying that I'm not a security expert. I also won't link to the exploit. This is a very fresh take on a new vulnerability but there's already confirmation from Sonatype. The current exploit seems to be limited to Spring on top of Tomcat but it probably can be adapted since the underlying vulnerability seems general enough. The vulnerability only impacts Java 9 or newer so if you have an older version you should be safe from this specific exploit. The core problem is a regression related to an old RCE which was fixed here. The problem is that the Java 9 module system increased the surface area. So the original fix for the RCE is no longer sufficient. Workaround This is actually pretty simple... Cyber Kendra included a solution and it was also mentioned by Praetorian. It seems like a prudent thing to add and I suggest you incorporate it as soon as possible! Detection If you have Lightrun in your servers you can instantly detect if this is exploited by placing a snapshot in the BeanWrapperImpl class as I explain in this twitter video. [svg]Post reactionPost reaction3 [svg]Post reactionPost reaction3 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction2 [svg]Post reactionPost reaction1 [svg]Post reactionPost reaction1 Share this (c)2022 Talk to the Duck Archive*Privacy policy*Terms Publish with Hashnode Powered by Hashnode - a blogging community for software developers.