Spring4Shell PoC in NCL Testbed
In the current Java based web application ecosystem, a framework called Spring is dominantly in use (in more than 60% of applications). On March 30 th , 2022, two critical vulnerabilities, CVE-2022-22963 and CVE-2022-22965, were reported, which pose a major threat to applications developed with the Spring framework. The first vulnerability affected the “spring-cloud-function-context" library (org.springframework.cloud). The latter, CVE-2022-22965, widely known as Spring4Shell, affected “spring-beans” ( org.springframework.cloud ). In this report we focus on Spring4Shell vulnerability, which can allow Remote Code Execution (RCE) on the server that is running the web application, by unauthorized and malicious actors. The library o rg.springframework.cloud: spring-beans, is a typical transitive dependency of a popular framework used widely in Java applications and requires Java Development Kit version 9 (JDK9) or newer to be running. It is a bypass for an older CVE, CVE-2010-1622 th