Last week, a number of critical vulnerabilities in the Java Spring framework were published. The exploitation of these vulnerabilities could allow an attacker to execute malicious code at the server or on the IoT device and to compromise the device. It is important to note that at this moment a public exploit already exists on the internet.
How common is the use of a library?
The use of Java Spring framework is very common in both servers and IoT products. In fact, about 15% of web services worldwide are based on this framework.
Am I vulnerable?
The vulnerability impacts Java applications that are based on Spring MVC and Spring WebFlux and running on JDK 9+. The specific exploit that was published requires the application to be packaged as a WAR and deployed to Apache Tomcat, but even if you meet the above criteria, it does not mean for sure that you are because sometimes more complex conditions need to exist as well
So should I panic?
Maybe panic is extreme. If your device is protected by Firedome, you have nothing to worry about, as the Firedome agent will detect the exploitation and prevent it on the spot (we still recommend you patch).
If your devices are not protected by Firedome, you definitely need to mitigate. Even if you are not sure if you are vulnerable, the exploitation has already been published and it’s only a matter of time until every server and device will become a target.
So how to mitigate?
If your IoT device has an OTA mechanism, updating this library can be a pretty good quick workaround. The best solution is to update your Spring library to Spring Framework versions 5.3.18 and 5.2.20.
If your IoT device doesn’t have an OTA mechanism, you can contact us and we will help you find a way to mitigate the vulnerabilities in your devices.