Risk Assessments/Management, Breach

Spring Core flaw severity downplayed

VentureBeat reports that while several news outlets have noted that a new remote code execution flaw in the widely-used Spring Core Java framework dubbed "SpringShell" may be the "next Log4Shell" vulnerability, it may not be as severe. Flashpoint and Risk Based Security researchers discovered that SpringShell was not similar to Log4Shell "at a deeper level" and while it is a "functional' flaw, it may not be as alarming. Such thoughts were shared by security professional Chris Partridge. "[SpringShell] does not instinctively seem like it’s going to be a cataclysmic event such as Log4Shell. This vulnerability appears to require some probing to get working depending on the target environment," wrote Partridge on GitHub. Moreover, Sonatype Chief Technology Officer Brian Fox said that while the new bug permits unauthenticated RCE, it could be mitigated. Meanwhile, Praetorian security engineers have been working on an exploit for the flaw while patches remain unavailable. "We have disclosed full details of our exploit to the Spring security team, and are holding off on publishing more information until a patch is in place," the Praetorian engineers said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.