Well It’s Spring, and Here’s Spring4Shell
Two software frameworks that have a rather poor record for security: Adobe Flash and Java. And so while Adobe Flash has all but disappeared, Java is still causing security problems. A core problem with Java is often its lack of control of the libraries it brings in, and in the difficulty of updating it. And so, Java is on the naughty step again with a new zero-day vulnerability, and which allows for remote code execution (RCE) [CVE-2010–1622]:
The vulnerability has been named “Spring4Shell,” and relates to the SpringSource Spring Framework 2.5.x. Spring is often used as a framework to build Java applications, and does not have a strong record for security with two recent vulnerabilities identified:
- Spring Framework expression DoS vulnerability (CVE-2022–22950).
- Spring Cloud expression resource access vulnerability (CVE-2022–22963).
At the core of Spring, we have an easy integration of libraries within enterprise solutions, and which allows for an easy deployment…