This week, panic seemed to take a hold of the cyber security industry as rumours of a potentially catastrophic remote code execution (RCE) bug emerged in the Spring Core framework. Dubbed Spring4Shell in an ode to Log4Shell, security experts initially debated the otherwise unconfirmed zero-day vulnerability amongst themselves; questioning its severity, scope and ease of exploitation. Some called it a ‘misunderstanding’, while others believed it was ‘fake news’.
These naysayers have since been proven wrong. Independent security researchers as well as Spring project themselves, have confirmed the Spring4Shell vulnerability. Indeed, it has now been catalogued as CVE-2022-22965 and fixes have been published. But you might wondering, what threat does it pose? Why the panic?
Spring is among the most popular frameworks specific to Java programming language, and is utilised by roughly 70% of all Java software applications. Therefore, a vulnerability could subsequently, put many at risk. In fact, if successful, hackers could leverage Spring4Shell to remotely run commands on their server of choice, and access sensitive data or gain further permissions to move across the internal network.
To mitigate the impact, organisations and software developers who rely on the Spring framework are being asked to update it to the latest versions as soon as possible. As organisations scramble to patch this latest vulnerability, the event only reinforces the important work of Digital Security by Design. Through the collaboration of industry vendors, the UK government, and academia, we can work towards creating technologies that are secure by default; technologies that can block as much as 70% of ongoing vulnerabilities from exploitation. And as a result, reduce their criticality and the costly rush to patch.
Speaking of patching and updating, it’s important that we, as individuals, remember to update our own internet browsers as well.
John Goodacre, Director of Digital Security by Design and Professor of Computer Architectures at Manchester University, shares:
“The browser provides most people the window onto their online life. Unfortunately, with such complex software it’s impossible to ensure it has no bugs or errors. Such issues mean cyber attackers are able to steal your data or hold you to ransom. Today, the only action users can do is to keep all their devices updated as soon as any fixes are made. Deciding to delay, or even not to update, significantly increases your risk that you will suffer an attack once an update is available because it points hackers towards an issue that they could exploit.”
Follow Innovate UK