Admins better Spring into action over latest critical open source vuln

If you're running an application built using the Spring development framework, now is a good time to check it's fully updated – a new, critical-severity vulnerability has just been disclosed.

Tracked as CVE-2024-38821, the vulnerability affects apps developed using Spring WebFlux only, and when exploited can lead to security rules being bypassed.

An application is only considered vulnerable to CVE-2024-38821, in this case, if WebFlux is used, if the app is using the framework's static resources support, and a non-permitAll authorization rule is applied to that support. All conditions must be met in order for an app to be considered vulnerable.

Spring is a widely used development framework, especially popular with Java apps, and has dominated the Java ecosystem for years. Snyk research from 2020 found that 60 percent of Java apps relied on the framework, while more recent findings from Incus Data showed that Spring Boot was relied upon by 58-72 percent of apps and Spring MVC was used by 29-41 percent.

According to Spring itself, and the National Vulnerability Database (NVD), the vulnerability carries a critical 9.1 CVSS rating, although this is disputed somewhat by vendors like Red Hat.

IBM's enterprise Linux subsidiary instead assessed the vulnerability's severity score to be much lower, more in the 7.4 region, indicating only a moderate risk of harm to affected organizations. The number of conditions that must all be met for an app to be exploitable was factored in here.

"This issue is classified as a moderate severity vulnerability because it impacts only specific configurations in Spring WebFlux applications and does not compromise dynamic or core application functionality," its advisory reads. 

"To exploit this vulnerability, the application must not only be using Spring WebFlux but must also serve static resources with non-permitAll authorization rules. Furthermore, the breach affects only static resources – such as CSS, JavaScript, or images – that, while potentially sensitive, do not contain dynamic, user-specific data or functional endpoints that interact directly with business logic."

• Attackers exploit Spring4Shell flaw to let loose the Mirai botnet
• Aerospike targets Java Spring devs with support for the popular framework
• Patch now: RCE Spring4shell hits Java Spring framework
• Spring break! Critical vuln in Pivotal framework's Data parts plugged

Additionally, despite linking to the NVD's critical assessment, an advisory issued by Italy's Computer Security Incident Response Team (CSIRT-ITA) included its own impact assessment, which was deemed to be "high," or 65.51 out of a possible 100. 

Critical, moderate, and high. How nice it is to have a consensus on these things.

Apps using the following versions of Spring, and meeting the three conditions, are deemed vulnerable to CVE-2024-38821:

• 5.7.x – fixed version: 5.7.13
• 5.8.x – fixed version: 5.8.15
• 6.0.x – fixed version: 6.0.13
• 6.1.x – fixed version: 6.1.11
• 6.2.x – fixed version: 6.2.7
• Older, unsupported versions are also affected

®