Another day, another zero-day. This time, security researchers discovered a bypass for an older zero-day, remote code execution flaw in the Spring Core framework, shortly after a proof-of-concept exploit was leaked to GitHub. Spring Core is a widely known Java framework for building Java web applications.
A Bypass for the CVE-2010-1622 Zero-Day Available
According to cybersecurity firm Praetorian, Spring Core on JDK9+ is prone to remote code execution due to a bypass for the CVE-2010-1622 vulnerability.
“At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available,” the researchers said.
In specific configurations, exploitation of CVE-2010-1622 is straightforward, as it only requires an attacker to send a crafted HTTP request to an exposed system. However, to exploit different configurations, threat actors would have to research additionally to find effective payloads. In case of a successful exploit, unauthenticated attackers will be able to execute arbitrary code on the targeted system.
Fortunately, there’s a remediation, a temporary mitigation, to fix the vulnerable condition:
“In Spring Framework, DataBinder has functionality to disallow certain patterns. As a temporary mitigation for this vulnerability, Praetorian recommends creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist”, the researchers added.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: