April 8, 2022

Malwarebytes products are not impacted by Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell) 

On Tuesday, March 29, 2022, the world learned of a critical vulnerability in the Spring Java framework.  This vulnerability was initially confused with a vulnerability in Spring Cloud, CVE-2022-22963. However, it was later identified as a separate vulnerability inside Spring Core, now tracked as CVE-2022-22965 and canonically named Spring4Shell. and canonically named Spring4Shell. 

Malwarebytes is aware of the vulnerability and has determined that it does not currently impact Malwarebytes products or services. 

This vulnerability affects Spring Core and allows an attacker to send a specially crafted HTTP request to bypass protections in the library’s HTTP request parser, leading to remote code execution. Several proofs of concept (PoCs) have been published, and we are aware of active exploitation in the wild. 

The first step in defending against these attacks is to identify vulnerable software. As soon as we learned about the vulnerability, we immediately investigated to determine any exposure of our products, customers or company systems. Our research indicates that Malwarebytes products are not impacted by this vulnerability. Any backend or internal corporate systems that are found to be vulnerable are being patched/upgraded and continuously monitored after patching is complete. We are also in contact with our vendors as a part of our rigorous third-party risk management process to further assess any potential vulnerabilities or impact. 

These are the prerequisites for the exploit: 

  • JDK 9 or higher 
  • Apache Tomcat as the Servlet container 
  • Packaged as WAR 
  • spring-webmvc or spring-webflux dependency 

Affected VMware Products and Versions 

Severity is critical unless otherwise noted. 

  • Spring Framework 
  • 5.3.0 to 5.3.17 
  • 5.2.0 to 5.2.19 
  • Older, unsupported versions are also affected 

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. 

We may provide additional updates as we have new information or recommendations. 

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.