Spring developers noted that they became aware of the Spring4Shell vulnerability on the evening of Tuesday, March 29, after being informed by researchers working at an affiliate of Chinese e-commerce giant Alibaba.
The developers started working on a fix the next day and were planning on releasing an emergency patch on Thursday.
However, a researcher leaked information about the zero-day before they could release the patch – possibly by accident because the information was later removed.
“The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+,” Spring developers explained in their blog post.
“The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.”
Patches for the vulnerability are included in Spring Framework versions 5.3.18+ and 5.2.20+.
While the full extent of the impact of Spring4Shell on real-world applications is still being investigated, there is a consensus that the vulnerability is likely not as bad as Log4Shell.
Based on what is known to date, there are certain conditions that need to be met for exploitation to be successful, and it appears that the exploit may need to be adapted for each targeted application.