{"id":220,"date":"2022-05-05T22:44:00","date_gmt":"2022-05-05T22:44:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=220"},"modified":"2024-01-08T20:54:53","modified_gmt":"2024-01-08T20:54:53","slug":"one-month-in-cycognito-looks-at-spring4shell","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/one-month-in-cycognito-looks-at-spring4shell\/","title":{"rendered":"One month in: CyCognito looks at Spring4Shell"},"content":{"rendered":"\n

It\u2019s likely by now that you are aware of Spring4Shell, a vulnerability in the Spring framework that permits remote code execution (RCE) and was publicly disclosed on March 30th, 2022. <\/p>\n\n\n\n

NIST assigned Spring4Shell a score of 9.8, presumably out of concern of a similar blast radius to Log4Shell, which was trivial to exploit and very common. With 6 out of 10 Java developers reporting using the Spring framework (Snyk research, 2020<\/a>), this vulnerability jumped quickly to the headlines. <\/p>\n\n\n\n

On the outside this appears to be a nightmare; a critical RCE on a widely used web application framework in a current version. <\/p>\n\n\n\n

But is it?<\/p>\n\n\n\n

[For more information on Spring4Shell, please see our\u00a0<\/em>April 6th blog post<\/em><\/a>]<\/em><\/p>\n\n\n\n

The importance of rapid visibility to risk<\/strong><\/h2>\n\n\n\n

Time is of the essence when any vulnerability is disclosed but is especially important with critical severity vulnerabilities like Spring4Shell. Response windows are tight \u2013 the majority of CVEs start to be exploited within hours or days of disclosure<\/a>, according to the Cybersecurity & Infrastructure Security Agency (CISA):<\/p>\n\n\n\n

“…threat actors are extremely fast to exploit their vulnerabilities of choice: of those 4% of known exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days; and 75% within 28 days!”.<\/em><\/p>\n\n\n\n

Unfortunately this is a catch-22 scenario for many security teams. They understand the importance of rapid response but without visibility into their entire attack surface they can\u2019t understand vulnerability relevance. The act of response is necessary to quantify the risk to their organization. This equates to a constant fire drill for many IT security teams, contributing to uncertain prioritization and resource burnout.<\/p>\n\n\n\n

Spring4Shell data from CyCognito research<\/strong><\/h2>\n\n\n\n

CyCognito began tracking Spring4Shell (CVE-2022-22965<\/a>) immediately after disclosure. We examined attack surface scan results and quantified the number of customer assets using the Spring framework. We then cross referenced the assets running Spring with version and system information to understand the number vulnerable to the Spring4Shell exploit.<\/p>\n\n\n\n

Our results? Out of nearly 4,000 assets discovered running Spring, less than 1%<\/em> were vulnerable to the Spring4Shell exploit. This was great news for our customers<\/strong> \u2013 with this information they were able to quickly understand external risk posture and communicate it across all levels of their organization. <\/p>\n\n\n\n

We were initially surprised at this result considering the number of assets CyCognito monitors across many industries; software development, manufacturing, telecommunications, energy, and more. As a data company, the \u201cwhy\u201d is as important as the \u201cwhat\u201d, and with that in mind we determined multiple explanations that may occur to an outsider:<\/p>\n\n\n\n