Spring4Shell, Spring Cloud Function RCE and Spring Cloud Gateway Code Injection. Hello everyone! This episode will be about last week’s high-profile vulnerabilities in Spring. Let’s figure out what happened.
Alternative video link (for Russia): https://vk.com/video-149273431_456239078
Of course, it’s amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it’s not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.
Spring is a set of products that are used for Java development. They are developed and maintained by VMware. The main one is Spring Framework. But there are a lot of them, at least 21 on the website. And because Spring belongs to VMware, you can find a description of the vulnerabilities on the VMware Tanzu website. VMware Tanzu is a suite of products that helps users run and manage multiple Kubernetes (K8S) clusters across public and private “clouds”. Spring is apparently also part of this suite and therefore Spring vulnerabilities are published there. Let’s look at the 3 most serious vulnerabilities published in the last month.