Spring4Shell flaw: Here's why it matters, and what you should do about it

Microsoft has weighed in on Spring4Shell, a recently discovered flaw in the Spring Framework for Java.

Microsoft is telling customers of its Azure cloud service to patch the recently disclosed bug, a critical-rated remote code execution (RCE) vulnerability that’s been tagged as CVE-2022-22965 and dubbed SpringShell or Spring4Shell — a twist on the dire Log4Shell bug affecting another Java-based application logging utility.  

While there was initial debate about how serious the bug is, sleuthing by security researchers in the days afterwards after the flaw was discovered revealed that Spring4Shell was indeed a serious bug that warranted attention. 

The US Cybersecurity and Infrastructure Security Agency (CISA) on April 1 urged all US organizations, including federal agencies, to patch it immediately. On April 4, CISA added the bug to its catalog of known exploited vulnerabilities, which requires federal agencies to patch it within a deadline. 

The Spring Framework is “the most widely used lightweight open-source framework for Java,” Microsoft notes. The bug resides in the Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.

“In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve

Read More: https://www.zdnet.com/article/spring4shell-flaw-heres-why-it-matters-and-what-you-should-do-about-it/#ftag=RSSbaffb68