Verification: 472acb06bbb2f6379ffcdd5ef9b6d310
Home » Blog » Comment from Tenable: Spring4Shell unrelated to Log4Shell

Comment from Tenable: Spring4Shell unrelated to Log4Shell

Satnam Narang_Staff Research Engineer_Tenable

Satnam Narang, Staff Research Engineer at Tenable, has articulated the differences between the vulnerabilities. He also says that Spring4Shell is unrelated to Log4Shell despite its naming convention.

“On March 29, VMware published an advisory for a vulnerability in Spring Cloud Function (CVE-2022-22963), a framework for implementing business logic via functions. The vulnerability currently has a CVSSv3 rating of 5.4. But because the vulnerability is considered a remote code execution flaw that can be exploited by an unauthenticated attacker, it appears that the CVSSv3 score might not reflect the actual impact of this flaw.

“There are reports that conflate CVE-2022-22963 with a separate, alleged remote code execution flaw in Spring Core, dubbed Spring4Shell or SpringShell. No CVE has been assigned to Spring4Shell, which adds to the confusion. While both vulnerabilities are critical remote code execution flaws, they are two distinct flaws affecting different solutions:

CVE-2022-22963 exists in Spring Cloud Function, a serverless framework that is part of Spring Cloud, whereas
Spring4Shell exists in the Spring Framework, a programming and configuration model for Java-based enterprise applications.

“Despite its naming convention that bears a similarity to Log4Shell, Spring4Shell is unrelated and does not appear to be as big as the Log4Shell. Spring4Shell has some non-default configuration requirements, though it is unclear which applications implement these. Just as with Log4Shell, it will be some time before we know the full scope and impact of Spring4Shell, but we can say it won’t be as significant as Log4Shell.

“For CVE-2022-22963, patches exist and are available for specific versions of Spring Cloud Function. At this time, no patch exists for Spring4Shell, which makes it a zero-day, though we anticipate more details will come to light in short order.” Satnam Narang, staff research engineer, Tenable

Leave a Reply

Your email address will not be published. Required fields are marked *