There is a new flaw in Java affecting the Internet and services

Internet security is a constant topic and issues regularly arise with the new Spring4Shell. They query users and their data, as well as the services that are provided on top of these platforms.

This is yet another defect of Java and its components, with a high degree of severity. After Log4j, this is another serious problem that must be solved as soon as possible, to ensure everyone’s safety.

Spring4Shell Java blocks application services

Spring4Shell: Java's new flaw

A new investigation by security experts has revealed another flaw in Java. This is present in the Spring Core Java framework and is named "Spring4Shell", having been publicly revealed, CVE-2022-22963known to allow remote execution of unauthenticated code in applications.

It follows the same line as the famous Log4j and has great relevance. This leaves services that use this framework vulnerable and exposed to attacks of various types. The code for its exploitation is already available in some circles and is known to be used.

Applications and services are vulnerable

Although still under evaluation, the new Spring4Shell flaw appears to be extremely critical and likely to expose services and applications where present. If the conditions are met, it is possible to place files on servers, which are then used to steal data.

Good news that has emerged, however, has come to put some calm in this process. Preliminary analysis determined that the presence of "Spring Beans" is required, using "Spring Parameter Binding" and that a "Spring Parameter Binding" must be configured to use a non-basic parameter type such as POJOs.

Updates are essential for now

The recommendation for now is to update all applications and services that use Java version 9 or later. Patches should appear in the next few days and permanently remove the Spring4Shell vulnerability.

It is believed that this could have the same impact as Log4j, and this has not yet been resolved in many cases. Given the requirements to exploit this flaw, it's too early to tell how many apps and services might be vulnerable.

Add Comment