Service announcement: zero-day vulnerability found in VMware’s Spring Framework, dubbed ‘Spring4Shell’.

Caused by “unsafe deserialization of passed arguments”, the threat comes from the manipulation of the WebAppClassLoader and could enable remote code execution (RCE) attacks.

Below are the current conditions Spring has identified as requirements for the exploitation to occur. However, as the threat landscape evolves, this may change.

• JDK 9 or higher
• Apache Tomcat as the Servlet Container (if Spring is deployed using the embedded Tomcat Servlet Container, the classloader is different causing it to have limited access)
• Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
• spring-webmvc or spring-webflux dependency
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Remediation for Spring4Shell

Spring has released an official patch to its vulnerable framework and boot modules. If patching cannot be implemented immediately, soft remediation advice is also available.

We strongly recommend that all affected customers install the relevant patch as soon as possible due to the severity of the incident.

If you are one of our Sentinel Essentials customers, you will have custom threat detection rules implemented within your environment for active detection. In addition, our SOC analysts are proactively threat hunting for any Spring4Shell Indicators of Compromise (IOCs) on an ongoing basis.

This is an ongoing event and we are continuing to track the developments. If you have any questions or need assistance, please contact our IT service desk on 01904 562207 or email [email protected].