Shared Assessments recommends a specific due diligence process for understanding third-party patch management capabilities using our industry-leading Standardized Information Gathering (SIG) Vendor Risk Questionnaire.
In the case of #Spring4Shell (or alternatively #SpringShell), we recommend you review your previous risk assessments first, instead of initiating new Questionnaire requests in your vendor community. Our infosheet “Securing your Software Supply Chain: TPRM Lessons from Spring4Shell Vulnerability” can help guide where to find relevant information related to this new vulnerability.
Researchers have found a critical vulnerability (CVE-2022-22965) in Spring, a popular open-source framework for the Java platform. The vulnerability, dubbed Spring4Shell, poses a serious threat to many web applications. Spring4Shell is zero-day (unknown to those who should be interested in its mitigation and, until recently, without a patch) and allows for unauthenticated remote code execution (RCE).
Background on the Spring4Shell vulnerability: what it does, how to treat it, and what it means to risk management. Read the post here.
CISA encourages users and administrators to immediately apply the necessary updates in the Spring Blog posts that provide the Spring Cloud Function updates addressing CVE-2022-22963 and the Spring Framework updates addressing CVE-2022-22965. CISA also recommends reviewing VMWare Tanzu Vulnerability Report CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ and CERT Coordination Center (CERT/CC) Vulnerability Note VU #970766 for more information.