https://bugalert.org/2022-03-30T15:00:00+00:00A nonprofit service for alerting security and IT professionals of high-impact and 0day vulnerabilities.2022-03-30T15:00:00+00:002022-03-30T15:00:00+00:00Bug Alert Contributorstag:bugalert.org,2022-03-30:/content/notices/2022-03-30-spring.html

<p>Praetorian has confirmed that a remote code execution vulnerability exists in Spring, an extremely popular Java framework. How broadly this impacts the Spring ecosystem remains unclear. The flaw has been assigned a bug alert severity of 'critical'.</p>

<h4>Updated Notice, 10:00AM New York Time</h4> <p>This flaw has been assigned CVE-2022-22965, and the Spring team is now issuing fixes. <a href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement">Please follow their post here for further updates</a>.</p> <h4>Original Notice</h4> <p>This is <strong><em>not</em></strong> related to CVE-2022-22963, Spring Cloud Function, or SpEL routing expressions. That is a separate, (possibly?) less widespread issue <a href="https://tanzu.vmware.com/security/cve-2022-22963">documented here</a>. Sadly, both are being referred to broadly as 'Spring4Shell', significantly adding to the confusion. We suggest the community refrain from using the term.</p> <p><a href="https://www.praetorian.com/blog/spring-core-jdk9-rce/">Praetorian has confirmed the existence of the remote code execution vulnerability that impacts Spring Core.</a> Praetorian has also confirmed online rumors of the issue being caused by a partial fix to a very old issue, <a href="http://blog.o0o.nu/2010/06/cve-2010-1622.html">CVE-2010-1622</a>. Unfortunately, proof-of-concept code is now widely available and is likely to be weaponized. What we don't know, though, is how widespread this issue really is, or how easily exploited it will be in the real world. As of late in the evening on March 30th, New York time, there's not much evidence yet that it will be exploitable in common configurations.</p> <p>There is currently no patch. The existing proof-of-concept, as well as the proof-of-concept from 2010, both reference <code>class.module.classLoader</code> when constructing the attack. Bug Alert therefore recommends testing and deploying a WAF rule that analyzes request bodies for requests containing the term <code>classLoader</code>. Please remember that regex-based WAF rules are often easily bypassed, so do not regard this as a long-term solution.</p> <p>Continue to monitor the Praetorian blog and the Bug Alert discussion thread (linked below) for further information. Once available, official notice from the Spring project is likely to be placed on the <a href="https://tanzu.vmware.com/security/">VMware Tanzu security advisories page</a> (VMware owns the Spring project). It's likely they will also <a href="https://spring.io/blog">furnish a blog post</a> with further information at a later time.</p> <p><a href="https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/">Rapid7 has put together a fantastic writeup with technical details</a>. Their blog post also details some of the configurations that are required for the exploit to be successful, and they have committed to using that venue to provide additional information as it becomes available.</p> <p>If you have feedback or questions, please comment on the discussion thread linked below. This notice cost the project approximately $150 USD to send. If you would like to support the project, <a href="https://bugalert.org/content/pages/financial-support.html">you can learn more here</a></p>2022-03-29T23:00:00+00:002022-03-29T23:00:00+00:00Bug Alert Contributorstag:bugalert.org,2022-03-29:/content/notices/2022-03-29-spring.html

<p>An unconfirmed, but possible, remote code execution vulnerability is believed to exist in Spring, an extremely popular Java framework. This issue is likely easily exploited in common configurations. If confirmed, another notice will be sent out with a severity of 'critical'. While unconfirmed, the severity has been assigned 'high'.</p>

<h2>Update as of March 30th, 3:00PM New York time</h2> <p><a href="https://www.praetorian.com/blog/spring-core-jdk9-rce/">Praetorian has confirmed the existence of this RCE in a recently-published blog post.</a></p> <p><a href="/content/notices/2022-03-30-spring.html">A new Bug Alert notice has been added here.</a></p> <h2>Update as of March 30th, 1:30PM New York time</h2> <p>The Bug Alert team is aware of claims of a PoC for a Spring core RCE. However, we are awaiting confirmation before raising any further alarms, and we have not been able to utilize the PoC successfully against real-world Spring installs that we have (legal) access to. Some security professionals have claimed, on Twitter, that they are able to utilize the PoC successfully against Spring instances running behind Tomcat.</p> <p>Adding to the confusion, multiple Spring devs have publicly stated there is no known vulnerability within Spring Core, and they have also stated that yesterday's serialization-related code change <em>was not</em> an attempt a resolving an open security issue.</p> <p>We'll share any further info as it comes in, but at this time we are taking a cautious approach with raising any further alarms. This is already a deeply confusing situation, and Bug Alert wants to avoid making it worse.</p> <p>Finally, we would like to remind readers that Bug Alert is intended to be one of the earliest sources of information, and we have to weigh the risks of being early, but being wrong. This may very well end up being a case where we are wrong, but in the moment it is hard to know what is accurate. We will continue to monitor the situation and report on new developments.</p> <h2>Original notice</h2> <p>This notice is intended to alert you that there <em>may</em> be a significant issue with Spring which, if confirmed, would require immediate attention.</p> <p>In the morning (New York time) on Tuesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. Since then, the Bug Alert team has been very closely monitoring activity and discussion in the Spring ecosystem.</p> <p><strong><em>Update: the claims in the next paragraph have been refuted by the Spring team. I have left them visible for historical context.</em></strong> <del>During our initial investigation, the Bug Alert volunteer team noted that a <a href="https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529#diff-6c2618839eda075efe4491842d3673eab8fe1e342f6d9ddc2bbda8556e595864L153">small change was introduced into the Spring codebase at roughly the same time</a> which may be the patch for this particular remote code execution issue. The team believes RCE could be possible through this vector, and that this change is likely the change that is intended to resolve the issue in Spring. However, the Spring team has not yet commented and has locked/closed GitHub issues inquiring about the accuracy of the claims being made.</del></p> <p>Just a few minutes ago, Cyber Kendra, a cybersecurity blog, <a href="https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html">put up a new post</a> detailing (translated) claims that have been circulating on Chinese blogs and media for the past several hours. This post also details some of the (unconfirmed) ways this vulnerability could be detected or mitigated.</p> <p>This notice is intended to prepare you for the possibility that a trivially-exploited remote code execution vulnerability may be present in one of the most widely-used pieces of open-source software. The impact of this vulnerability, if it does exist, would be significant; far in excess of the impact of Log4j or Heartbleed.</p> <p>If you have feedback (did you agree/disagree that a notice should have been sent?) or questions, please comment on the discussion thread linked below. This notice cost the project approximately $50 USD to send. If you would like to support the project, <a href="https://bugalert.org/content/pages/financial-support.html">you can learn more here</a>.</p>2021-12-09T23:00:00+00:002021-12-09T23:00:00+00:00Bug Alert Contributorstag:bugalert.org,2021-12-09:/content/notices/2021-12-09-log4j.html

<p>A remote code execution vulnerability has been found in the popular Java logging library Log4j. This issue is easily exploited in common configurations, and has been assigned a bug alert severity of 'critical'.</p>

<p>On Tuesday, December 9th, 2021, a security researcher posted a screenshot and proof-of-concept code for executing an RCE against the latest available build of the popular Java logging library, Log4j. For up-to-date information, please visit <a href="https://www.lunasec.io/docs/blog/log4j-zero-day/">https://www.lunasec.io/docs/blog/log4j-zero-day/</a>.</p>