Hello, welcome to the Thursday, March 31st, 2022 edition of the Sands Internet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today was certainly an interesting day if you're dealing with Java, and well, after a lot of confusion, the quick summaries,

we do have two significant vulnerabilities. For one of which a patch is available. That's

CVE 2022, 2020, 20263. And this is a vulnerability in Spring Cloud Function.

For the second one in Spring Core, there is no patch available at this point.

But for both vulnerabilities, there are exploits available.

And yes, they're already actively being exploited.

Let's start with the first one for which we do have a patch available.

That's CVE 2020-22-963, and it's in SpringCloud function.

An initial report was published for this vulnerability on Tuesday.

However, it was only rated medium,

and it wasn't clear, and exploits then have proven that,

that it's actually possible to gain unauthenticated

remote code execution with this vulnerability.

So the CVSS score of 5.4 is probably a little bit low.

Now, where it got more confusing then was that at the same time when we had this new vulnerability,

there was a blog post announcing another vulnerability in Spring Core, and that vulnerability did not have a CVE number,

and the Spring Project in the Git commit

that was sort of linked by this particular blog post

did not really acknowledge that this is actually a vulnerability,

but turns out it is an exploitable vulnerability that, again, leads to unauthenticated remote code execution.

...