Originally posted: Mar 30th, 2022 (All times Eastern/ U.S.)
This page is updated frequently. Please see date/time (GMT) in the by line for most current article update.
- What happened?
- Who is at Risk?
- How is this relevant for Contrast Security and which customers might be impacted?
- How do I know if my application is vulnerable?
- What's Next?
This bulletin is to notify you of a large-scale and high impact vulnerability, Spring4Shell, which could be the source of Remote Code Execution (RCE). Contrast Labs has confirmed that vulnerable applications using Contrast Protect are protected against known exploits.
For more information on what we know now, please see our blog post by David Lindner, Contrast CISO, and Arshan Dabirsiaghi, Contrast Chief Scientist.
Who is at Risk?
There are a few requirements for an application to be vulnerable:
- You use a Spring app (up to and including version 5.3.17)
- Your app runs on Java 9+
- You use form binding with name=value pairs – not using Spring’s more popular message conversion of JSON/XML
- You don’t use an allowlist -OR- you don’t have a denylist that blocks fields like “class”, “module”, “classLoader”
How is this relevant for Contrast Security and which customers might be impacted?
Contrast Security software is not susceptible to this exploit.
- Our Java Agent - does not use Spring
- Contrast UI / EOP & SasS - we use allowlists for binding
How do I know if my application is vulnerable?
See the following articles for guidance on determining which of your applications may be susceptible to the Spring4Shell vulnerability.
- How to determine which apps are utilizing a specific library
- How to find the version of Java a Contrast agent is running on
- How to find apps that use Spring auto-binding
The latest details on the issue can be found on our blog post. This page will continue to be updated with further implications and how to fix this issue in your systems. Our team is currently researching the ability to exploit this vulnerability outside of a Tomcat environment.
We also recommend following Spring's own blog for the latest updates as the situation develops: Spring Framework RCE, Early Announcement.
Contrast will continue to monitor the situation with Spring4Shell and the security of our customers is of utmost importance to us. If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at: