Background /What has happened?
In March 2022, reports emerged relating to multiple vulnerabilities in relation to the Spring Framework and its operating environments. A malicious cyber actor may be able to exploit these vulnerabilities to execute arbitrary code, including malware or ransomware. VMWare has released a security advisory which addresses CVE-2022-22963 in Spring Cloud Function. The vulnerability identified as Spring4Shell is a separate vulnerability believed to be in Spring Core which does not yet have a CVE identifier or associated security advisory. The Spring4Shell vulnerability has been likened to the Apache Log4J vulnerabilities discovered in late 2021. Similarly to Apache Log4j, the Spring Framework is a ubiquitous building block used in potentially hundreds of thousands of applications across the internet, and the vulnerability allows malicious cyber actors to execute arbitrary code on target machines.
Australian organisations should be aware of these risks and apply necessary patches. If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.
Mitigation / How do I stay secure?
To address CVE-2022-22963 Australian organisations should consult and action the recommendations contained within the vendor's security advisory. There is no current patch or vendor identified mitigations for the vulnerability identified as Spring4Shell and the situation is developing. Australian organisations should review systems for the presence of Spring Core, prioritising external facing systems. If Spring Core is present consider reviewing web application logs for indications of unusual requests which could indicate exploitation attempts. Australian organisations should also consider reviewing for the recent creation of .jsp files.
The ACSC recommends that users of the Spring Framework should monitor for the release of updated software versions and security advisories. ACSC will continue to monitor this issue and update as necessary.
Assistance / Where can I go for help?
The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via cyber.gov.au/report, or 1300 CYBER1.