Discover and read the best of Twitter Threads about #Spring4Shell
Most recents (3)
Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: 
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…
Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…
Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
Ways that Cyber Kendra made this worse for everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case.
OK, where are we with Spring stuff?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing.
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
