Advanced warning: possible remote code execution (RCE) in Spring, an extremely popular Java framework

Summary

An unconfirmed, but possible, remote code execution vulnerability is believed to exist in Spring, an extremely popular Java framework. This issue is likely easily exploited in common configurations. If confirmed, another notice will be sent out with a severity of 'critical'. While unconfirmed, the severity has been assigned 'high'.

Details

Update as of March 30th, 3:00PM New York time

Praetorian has confirmed the existence of this RCE in a recently-published blog post.

A new Bug Alert notice has been added here.

Update as of March 30th, 1:30PM New York time

The Bug Alert team is aware of claims of a PoC for a Spring core RCE. However, we are awaiting confirmation before raising any further alarms, and we have not been able to utilize the PoC successfully against real-world Spring installs that we have (legal) access to. Some security professionals have claimed, on Twitter, that they are able to utilize the PoC successfully against Spring instances running behind Tomcat.

Adding to the confusion, multiple Spring devs have publicly stated there is no known vulnerability within Spring Core, and they have also stated that yesterday's serialization-related code change was not an attempt a resolving an open security issue.

We'll share any further info as it comes in, but at this time we are taking a cautious approach with raising any further alarms. This is already a deeply confusing situation, and Bug Alert wants to avoid making it worse.

Finally, we would like to remind readers that Bug Alert is intended to be one of the earliest sources of information, and we have to weigh the risks of being early, but being wrong. This may very well end up being a case where we are wrong, but in the moment it is hard to know what is accurate. We will continue to monitor the situation and report on new developments.

Original notice

This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.

In the morning (New York time) on Tuesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. Since then, the Bug Alert team has been very closely monitoring activity and discussion in the Spring ecosystem.

Update: the claims in the next paragraph have been refuted by the Spring team. I have left them visible for historical context. During our initial investigation, the Bug Alert volunteer team noted that a small change was introduced into the Spring codebase at roughly the same time which may be the patch for this particular remote code execution issue. The team believes RCE could be possible through this vector, and that this change is likely the change that is intended to resolve the issue in Spring. However, the Spring team has not yet commented and has locked/closed GitHub issues inquiring about the accuracy of the claims being made.

Just a few minutes ago, Cyber Kendra, a cybersecurity blog, put up a new post detailing (translated) claims that have been circulating on Chinese blogs and media for the past several hours. This post also details some of the (unconfirmed) ways this vulnerability could be detected or mitigated.

This notice is intended to prepare you for the possibility that a trivially-exploited remote code execution vulnerability may be present in one of the most widely-used pieces of open-source software. The impact of this vulnerability, if it does exist, would be significant; far in excess of the impact of Log4j or Heartbleed.

If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, you can learn more here.