Tag Archive for: Java
‘Spring4Shell’ bug in framework for Java programming draws widespread warnings
Written by Joe Warminsky
Security researchers are urging users of Spring — a popular framework for creating create web applications in the widely used Java programming language — to update their software due to a critical vulnerability discovered this week.
An alert Friday from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warns Spring users that a remote attacker “could exploit this vulnerability to take control of an affected system,” otherwise known as remote code execution (RCE).
Researchers are already calling the bug Spring4Shell, a name reminiscent of the major Log4Shell bug discovered in December in the open source Log4j logging software for websites. Spring4Shell is also open source software, which can complicate the response to a major bug.
The CISA alert does not specify how widely Log4Shell might be exploited so far. Researchers at Rapid7 said in an updated blog post Friday that it is still “a quickly evolving incident.”
Engineers at Spring, part of IT giant VMware, announced the vulnerability Thursday, roughly two days after reports noted that its existence had been leaked outside of usual vulnerability disclosure processes. Spring posted a guide to mitigation on Thursday.
The potential for exploitation of Spring4Shell can vary from project to project, researchers say, given that not all programmers might be using the same version of the Spring platform.
“In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system,” researchers at Praetorian said. “However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.”
There are signs that Spring4Shell had drawn potentially malicious activity before this week. Researchers at 360 Netlab say they have evidence of activity as early as 10 days before Spring officially announced the bug. A familiar piece of malware subsequently has reared its head, 360 Netlab said. A variant of the Mirai malware…
Log4Shell-like security hole found in popular Java SQL database engine H2 – Naked Security
“It’s Log4Shell, Jim,” as Commander Spock never actually said, “But not as we know it.”
That’s the briefest summary we can come up with of the bug CVE-2021-42392, a security hole recently reported by researchers at software supply chain management company Jfrog.
This time, the bug isn’t in Apache’s beleagured Log4j toolkit, but can be found in a popular Java SQL server called the H2 Database Engine.
H2 isn’t like a traditional SQL system such as MySQL or Microsoft SQL server.
Although you can run H2 as a standalone server for other apps to connect into, its main claim to fame is its modest size and self-contained nature.
As a result, you can bundle the H2 SQL database code right into your own Java apps, and run your databases entirely in memory, with no need for separate server processes.
As with Log4j, of course, this means that you may have running instances of the H2 Database Engine code inside your organisation without realising it, if you use any apps or development components that themselves quietly include it.
JNDI back in the spotlight
Like the Log4Shell vulnerability, this one depends on abuse of the Java Naming and Directory Interface, better known as JNDI, which is an integral part of every standard Java installation.
JNDI is supposed to make it easier to identify and access useful resources across your network, including finding and fetching remotely stored software components using well-known search-and-discovery protocols such as LDAP (the Lightweight Directory Access Protocol).
As dangerous as this sounds, it’s important to remember that similar functionality can be coded into any software (compiled or interpreted, script or binary) that has network access, can download arbitrary data, and is able to turn that data into executable code of some sort. JNDI merely makes it very much easier to build distributed apps that find and load remote components. This sort of programmatic convenience sometimes improves security, because it’s often easier to audit and review code when it follows a well-documented path. But sometimes it reduces security, because it makes it easier to introduce unexpected side-effects by mistake. We saw this in…