Skip to main content

Multiple vulnerabilities present in the Spring Framework for Java

The ACSC is aware of media reporting relating to multiple potential vulnerabilities, including the so-called SpringShell vulnerability, in the Java Spring framework and its execution environments. These vulnerabilities pose a threat to organisations running applications on the web which contain components using the Java Spring framework.

Alert status
HIGH

Background / What has happened?

In March 2022, reports emerged relating to multiple vulnerabilities in relation to the Spring Framework and its operating environments. A malicious cyber actor may be able to exploit these vulnerabilities to execute arbitrary code, including malware or ransomware. VMWare has released a security advisory which addresses CVE-2022-22963 in Spring Cloud Function and the CVE-2022-22965 in Spring WebFlux Application. The Spring4Shell vulnerability has been likened to the Apache Log4J vulnerabilities discovered in late 2021. Similarly to Apache Log4j, the Spring Framework is a ubiquitous building block used in potentially hundreds of thousands of applications across the internet, and the vulnerability allows malicious cyber actors to execute arbitrary code on target machines.

Australian organisations should be aware of these risks and apply necessary patches. If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.

Mitigation / How do I stay secure?

To address CVE-2022-22963 Australian organisations should consult and action the recommendations contained within the vendor’s security advisories, CVE-2022-22963, and CVE-2022-22965. Australian organisations should review systems for the presence of Spring Core and patch where available, prioritising external facing systems. If Spring Core is present consider reviewing web application logs for indications of unusual requests which could indicate exploitation attempts. Australian organisations should also consider reviewing for the recent creation of .jsp files.

The ACSC recommends that users of the Spring Framework should monitor for the release of updated software versions and security advisories. ACSC will continue to monitor this issue and update as necessary. 

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via cyber.gov.au/report, or 1300 CYBER1.

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it