Security researchers are still looking for applications that are exploitable using the remote code execution vulnerability in Spring Core.

There are no public reports of real-world applications that are vulnerable to the Spring4Shell exploit.

The Randori Attack Team said in comments provided to VentureBeat on Friday that they have not yet found an exploitable application. The team, a part of attack surface management vendor, released a script that can be used to test for susceptibility to the Spring4Shell vulnerability.

A system must have all the right ingredients in order to be vulnerable. The code has to be implemented in a certain way in order for the ingredients to be vulnerable.

It is difficult to remotely identify the Spring framework version. It is unlikely that we will see anything like the scale of Log4j.

The team said that it is monitoring for any changes. Several vendors have released advisories indicating that their products are vulnerable to Spring4Shell, but no one knows if they are vulnerable to the RCE flaw.

In the wild

The security community has been having a huge struggle to find vulnerable applications in the wild.

He only knows of one report of the Spring4Shell exploit working in the wild.

That instance does not involve another vendor's application, but it shows that an exploit for the Spring4Shell flaw could work against sample code supplied by Spring. In a post on Wednesday, Colin Cowie, a threat analyst at Sophos, demonstrated this.

The flaw in the Spring4Shell RCE is viable in the wild, and it's likely that real-world apps are vulnerable to it.

Even though exploitable real-world applications have not been disclosed, organizations that use the popular Java framework Spring still need to patch. According to experts who spoke with VentureBeat this week, most should patch when they can.

Other exploits possible

A lot remains unknown about Spring4Shell, the details of which were leaked on Tuesday, and its potential risks. There is a chance that attackers will find new ways to exploit the open source vulnerability.

Praetorian CTO Richard Ford said that anyone who uses Spring should consider installing the patch.

Ford said that the best advice was that all Spring users should patch if possible. There may be more general exploits available over time.

Ford said that it is very unlikely that we will end up in a similar situation as Log4Shell.

The widespread use of Log4j was believed to have impacted the majority of organizations.

Exploit requirements

On Thursday, Spring published a post with details about patches, exploit requirements and suggested workarounds for Spring4Shell. The RCE vulnerability affects JDK 9 or higher and has several additional requirements to be exploited, according to a Spring post.

The initial exploit requires the application to run on Apache Tomcat as a WAR deployment, which is not the default way of installing applications. The default is not vulnerable to the initial exploit of Spring4Shell.

New versions of Apache Tomcat were released on Friday to address the vulnerability.

Even if the current exploit needs a specific configuration, the vulnerability is still general enough and can be exploited in different ways.

The vulnerability was reported by Spring. She said that other attacks on other types of ClassLoader might be possible if the current exploit is Tomcat-specific.

The mission of VentureBeat is to be a digital town square for technical decision-makers to gain knowledge. You can learn more about membership.