Press Release
Contrast Security Responds to Spring4Shell Vulnerability
Contrast’s code security experts provide guidance and release additional preventative measures to combat widespread Java software vulnerability
April 19, 2022 — Los Altos, CA — Contrast Security (Contrast), the leader in code security that empowers developers to secure-as-they code, continues providing guidance around Spring4Shell, the latest zero-day security issue that takes advantage of a vulnerability in a widely adopted application framework for Java – the Spring Framework as well as today announces the release of a new rule within the Contrast platform called ClassLoader Manipulation. Contrast Protect’s new ClassLoader Manipulation provides much stronger protections that further prevent all Spring4Shell related exploits and future, similar exploits.
On Tuesday, March 29, 2022, researchers disclosed a new zero-day vulnerability named Spring4Shell in the Spring Web framework that allows attackers to escalate their attacks to remote code exploitation. The same day, Contrast provided information detailing intelligence garnered about the vulnerability in a blog post authored by David Lindner, Contrast CISO, and Arshan Dabirsiaghi, Contrast Chief Scientist. The company has since provided additional details about Spring4Shell’s impact on serverless environments.
“It is our job to ensure our customers are aware of the latest vulnerabilities as well as how they can mitigate any risks and better protect their applications. We issued a blog and customer communication within 24hrs of when Spring4Shell was disclosed and launched our own internal investigation so that we could continue to provide updated intelligence on how to safeguard against it and similar exploits,” said David Lindner, CISO, Contrast Security. “While Contrast Protect blocked the initial Spring4Shell exploit since day zero, our new Protect rule denies attackers access to application classloaders thus denying them an important vector for escalating many different attack vectors to remote code exploitation (RCE).”
Contrast’s new rule, ClassLoader Manipulation, also provides customers with the following added protection:
- Completely guards users from any variation of Spring4Shell and from any future copycat zero-days that target other frameworks like Spring with the same vulnerability
- Prevents attackers from manipulating the application’s classloader in any way, including installing a web shell or other malicious code
- Leverages Protect’s sandboxing technique to deny any attempt to use reflection to invoke common ClassLoader accessor methods that attackers exploit. This sandboxing technique is uniquely available to runtime application self-protection (RASP) agents like Contrast Protect and cannot be replaced by traditional endpoint protection tools
For more information on Spring4Shell and how to manage it, check out Contrast’s OnDemand recorded webinar here.
About Contrast Security:
Contrast Security secures the code that global business relies on. It is the industry's most modern and comprehensive Code Security Platform, removing security roadblock inefficiencies and empowering enterprise developers to write and release secure application code faster. Embedding code analysis and attack prevention directly into software with instrumentation, the Contrast platform automatically detects vulnerabilities while developers write code, eliminates false positives, and provides context-specific how-to-fix guidance for easy and fast vulnerability remediation. Doing so enables application and development teams to collaborate more effectively and to innovate faster while accelerating digital transformation initiatives. This is why a growing number of the world's largest private and public sector organizations rely on Contrast to secure their applications in development and extend protection to cloud and on-premise applications in production.
Media Contact:
Laura Asendio
Public Relations Manager
Contrast Security
pr@contrastsecurity.com
Recent Press Releases
Featured
10/23/2024
Contrast Security Launches Managed Application Security
Best-in-class managed Application Security Testing and Application Detection and Response, powered by the people who built it.