HelpSystems Acquires Beyond Security to Continue Expansion of Cybersecurity Portfolio.   READ THE PRESS RELEASE
Beyond Security Blog

VRT Zero-day Security Advisory

Beyond Security by HelpSystems are actively monitoring the disclosure of a security issue related affecting a widely used Java Framework called “Spring4Shell” or “SpringShell” which has been assigned CVE-2022-22965.

HelpSystems Infrastructure Protection brands, Digital Defense and Beyond Security are actively monitoring the disclosure of a security issue affecting a widely used Java Framework called “Spring4Shell” or “SpringShell” which has been assigned CVE-2022-22965.

The Spring framework allows Java developers to develop Java applications easily with enterprise-level components. A Remote Code Execution (RCE) vulnerability was disclosed in the Spring framework that would allow an unauthorized attacker to inject a web shell to remotely execute code on a vulnerable target device.

  

JDK version 9 or later running Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0-5.2.19 or older versions are vulnerable.

 

 You can find patch information here

The Vulnerability Research Team has updated our scanner with check 148151.  

Should you have questions regarding this advisory or require assistance, Frontline.Cloud subscribers can contact your Client Advocate or Personal Security Analyst; beSECURE users can contact Beyond Security Support via Freshdesk. 

  

HelpSystems Infrastructure Protection Vulnerability Research 

Beyond Security by HelpSystems is aware of a recently disclosed security issue related to the open-source Apache “Log4j2” utility (CVE-2021-44228).    

 Log4j is a logging framework found in Java software. The flaw is tied to a failure by certain features in the Java Naming and Directory Interface (JNDI) which is used in configuration, log messages and parameters to protect against attacker controller LDAP servers and other endpoints. A remote attacker who can control log messages or log message parameters can run arbitrary code loaded from LDAP servers on any application that uses Log4j when message lookup is enabled.  

 The flaw affects all versions of Log4j from 2.0-beta9 to 2.14.1.  

 This flaw is actively being exploited.  

 We strongly encourage customers who manage environments containing Log4j2 to update to the latest version released by the Apache Foundation which addresses the issue available at: https://logging.apache.org/log4j/2.x/download.html  or their operating system’s software update mechanism.  

 If updating the software is not an option, the Foundation has also shared mitigation measures for versions of Log4j versions 2.10 and later to protect against the remote code execution via the vulnerability. 

 

Beyond Security uses Log4j in the beSECURE LSS scanners and beSECURE II scanner and management bundle.  

Java is used by beSECURE LSS’s to schedule, run scans and send results back to the local or cloud management server.  

An attacker would need access to the local or cloud LSS to inject the required payload. 

Currently, Beyond Security is not aware of a means for a remote attacker to access the necessary resources to initiate an attack.  

Affected cloud versions of the LSS have been patched 

Beyond Security has released a new LSS base image that does not include the JNDI class. New deployments of LSS and beSECUREII will not contain the vulnerable JNDI class. 

Beyond Security is working on an update that will remove the JDNI class from existing LSS scanners as a means of adding additional precaution and protection – though there is no means of reaching the vulnerable code (as mentioned above). 

The beSECURE UI is not affected.  

If you have any questions about this flaw or need assistance updating your LSS, please contact Beyond Security Support.  

Beyond Security

Beyond Security is a global leader in automated vulnerability assessment and compliance solutions – enabling businesses and governments to accurately assess and manage security weaknesses in their networks, applications, industrial systems and networked software at a fraction of the cost of human-based penetration testing.

Contact Us

By clicking Submit, I agree to the use of my personal data in accordance with the Beyond Security Privacy Policy. Beyond Security will not sell, trade, lease, or rent your personal data to third parties.

Reviews