RedShield is aware of a new Spring Core 0-day vulnerability that currently has no patch and is under active exploit. At this stage, no CVE has been assigned and limited technical details are available.
Who is affected?
The vulnerability affects Spring Core on JDK9+, but appears to only be vulnerable in certain configurations. Given the lack of public details, we advise anyone running Spring Core on JDK9+ to assume they are vulnerable.
What is RedShield doing?
RedShield has seen active attacks and have released a signature to protect against the proof of concept attack. We are continuing to actively monitor the situation so that we can upgrade our defences as new details come to light. Please reach out to us if you believe you may be at risk so that we can look at proactive measures.
What should you do?
If you are running vulnerable systems or have concerns, please contact your Solution Architect or firstname.lastname@example.org.
Praetorian has released advice on remediation that should also be applied if possible here.
Another vulnerability, identified as CVE-2022-22963, in Spring Cloud was also published this week which is causing some confusion. Our existing baseline shields provide protection against this vulnerability, but affected users should contact us if they are unable to update to Spring Cloud Function 3.1.7 or 3.2.3.