Written by Joe Warminsky
Apr 1, 2022 | CYBERSCOOP
Security researchers are urging users of Spring — a popular framework for creating create web applications in the widely used Java programming language — to update their software due to a critical vulnerability discovered this week.
An alert Friday from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warns Spring users that a remote attacker “could exploit this vulnerability to take control of an affected system,” otherwise known as remote code execution (RCE).
Researchers are already calling the bug Spring4Shell, a name reminiscent of the major Log4Shell bug discovered in December in the open source Log4j logging software for websites. Spring4Shell is also open source software, which can complicate the response to a major bug.
The CISA alert does not specify how widely Log4Shell might be exploited so far. Researchers at Rapid7 said in an updated blog post Friday that it is still “a quickly evolving incident.”
Engineers at Spring, part of IT giant VMware, announced the vulnerability Thursday, roughly two days after reports noted that its existence had been leaked outside of usual vulnerability disclosure processes. Spring posted a guide to mitigation on Thursday.
The potential for