Critical RCE Vulnerability Reminiscent of Log4j Issues

Here we go again. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the remote code execution (RCE) vulnerability affecting the Spring Framework to its Known Exploited Vulnerabilities Catalog. The designation was based on evidence of active exploitation. And the impact the vulnerability will have on organizations is similar to what we recently experienced with the vulnerability found in Apache’s Log4j software library in December.

See also: Log4j Vulnerability Highlights the Need for Observability

In both cases, the vulnerabilities are in software that is very commonly used and is incorporated into a broad range of applications and services. The Spring Framework “provides a comprehensive programming and configuration model for modern Java-based enterprise applications – on any kind of deployment platform,” according to Spring. “A key element of Spring is infrastructural support at the application level: Spring focuses on the plumbing of enterprise applications so that teams can focus on application-level business logic, without unnecessary ties to specific deployment environments.”

In the case of the Spring Framework vulnerability, a newly disclosed remote code execution flaw could potentially be exploited to allow unauthenticated attackers to take control of a system. 

Similar to Log4j, Spring is widely used, and many organizations may not know exactly if or where it is in use. As noted in reporting on Log4j:

The problem is that the software has been widely used for years. And it is embedded in many applications. Modern application development techniques based on microservices, APIs, and composable elements mean it is easy to incorporate such software into numerous applications without even knowing by simply re-using components that perform Log4j’s core functions. Low-code/no-code methods allow for even easier use and re-use of components, thus amplifying the problems.

The security implications of such re-use of software, and particularly open source software, were highlighted in a report last year by the Laboratory for Innovation Science at Harvard and The Linux Foundation. The report noted the need for an “understanding and addressing of the security complexities in the modern-day software supply chain where open source is pervasive, but not always understood.” It noted that it is difficult to fully understand the security of open-source software because “by design, it is distributed in nature, so there is no central authority to ensure quality and maintenance,” and it can be freely copied and modified.

See Also: Continuous Intelligence Insights

Modern observability methods needed for detection and protection

The vulnerability impacts Spring MVC [model–view–controller] and Spring WebFlux applications running on [Java Development Kit] 9+, according to Spring. And specific exploit requires the application to run on Tomcat as a WAR deployment.

The challenge for end-user companies is that they may not know if their applications use the vulnerable versions of the Spring and where the software is deployed. Searching for software such as this and the impact of its vulnerability is greatly benefited by visibility into web, application, and network traffic. And proactive monitoring is key to immediately identifying and understanding what is happening to stop its impact and isolate it. Such capabilities are core functionality in many observability platforms.