English-ing and cleaning up the alleged 0day dropped 2022-03-29
The README from the alleged appears confirmed! 0day dropped on 2022-03-29 has been translated to English and cleaned up slightly to assist in your analysis and replication. If you manage to create a demo application that folks could use to independently validate and deep-dive, please let me know via GitHub Issues so I can link it!
Please note that this is a different issue than CVE-2022-22963! Major cybersecurity news outlets, including ThreatPost, have gotten this fact wrong – and this is compounding confusion across other outlets and making triage much more difficult.
TL;DR
A GitHub user (p1n93r) claimed, and then deleted, that by sending crafted requests to JDK9+ SpringBeans-using applications, under certain circumstances, that they can remotely:
- Modify the logging parameters of that application to achieve an arbitrary write.