Spring4Shell Vulnerability Update
This is a memo from Hyperproof’s Security team written on March 31, 2022. For additional questions, please contact the Hyperproof Security Team at firstname.lastname@example.org
Summary of Vulnerability
A remote code execution vulnerability in Spring Cloud Foundation was published on Tuesday, March 29, 2022, and was upgraded to Critical on Thursday, March 31, 2022. Under certain circumstances, it was possible to execute code on a server running Spring Cloud Foundation using a specially crafted request.
Detection of Vulnerability
Hyperproof’s Security Team was notified of this vulnerability shortly after its upgrade to critical on Thursday, March 31, 2022 by our automated vulnerability scanning tools.
The Hyperproof engineering team was immediately engaged and confirmed that Hyperproof is not vulnerable to this issue.
We determined that our existing defense-in-depth controls for API and data access mitigate the possibility of this vulnerability being triggered. Hyperproof’s internal security firewalls and service APIs utilize least-privileged access controls for all resources and APIs. The vulnerable resources were blocked at multiple levels in Hyperproof’s infrastructure, mitigating this vulnerability.
In an abundance of caution, Hyperproof has updated our Java services from Spring Framework 5.3.16 to 5.3.18 and will continue to monitor this issue.