Another day, another zero-day. This time, security researchers discovered a bypass for an older zero-day, remote code execution flaw in the Spring Core framework, shortly after a proof-of-concept exploit was leaked to GitHub. Spring Core is a widely known Java framework for building Java web applications.
A Bypass for the CVE-2010-1622 Zero-Day Available
According to cybersecurity firm Praetorian, Spring Core on JDK9+ is prone to remote code execution due to a bypass for the CVE-2010-1622 vulnerability.
“At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available,” the researchers said.
In specific configurations, exploitation of CVE-2010-1622 is straightforward, as it only requires an attacker to send a crafted HTTP request to an exposed system. However, to exploit different configurations, threat actors would have to research additionally to find effective payloads. In case of a successful exploit, unauthenticated attackers will be able to execute arbitrary code on the targeted system.
Fortunately, there’s a remediation, a temporary mitigation, to fix the vulnerable condition:
“In Spring Framework, DataBinder has functionality to disallow certain patterns. As a temporary mitigation for this vulnerability, Praetorian recommends creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist”, the researchers added.