An Interest In:
Web News this Week
- April 27, 2024
- April 26, 2024
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
April 7, 2022 06:16 pm GMT
Original Link: https://dev.to/cjddww/understanding-spring4shell-rce-from-an-engineers-perspective-4iod
Understanding Spring4Shell RCE from an engineers perspective
What happened?
On March 29, 2022, A very old RCE (remote code execution) loophole tracked as CVE-2010-1622 was exposed in a series of Tweets. It affects most java projects using JDK 9+. This loophole enables attackers to exploit the server by executing a command on a server carried in a HTTP request.
Who should worry about this vulnerability?
If your project meets all conditions below, then you should take a serious look into this:
- JDK 9+
- Imported spring-webmvc dependency
- Deployed as WAR but not JAR
- Apache Tomcat as the Servlet container (the only container confirmed exploit currently)
How did this happen?
Before explaining more details, lets first start with a simple API defined in SpringMVC controller.
@Controllerpublic class DemoController { @PostMapping("/animals") @ResponseBody public Map<String, Object> importAnimalIntoZoo(Animal animal) { HashMap<String, Object> response = new HashMap<>(); response.put("data", animal); return response; }}
read more...
Original Link: https://dev.to/cjddww/understanding-spring4shell-rce-from-an-engineers-perspective-4iod
Share this article:
Tweet
View Full Article
Dev To
An online community for sharing and discovering great ideas, having debates, and making friendsMore About this Source Visit Dev To