A Technical Analysis of How Spring4Shell (CVE-2022-22965) Works(extrahop.com)
extrahop.com
A Technical Analysis of How Spring4Shell (CVE-2022-22965) Works
https://www.extrahop.com/company/blog/2022/a-technical-analysis-of-how-spring4shell-works/
7 comments
I've been told it can be hard to know if vendor-built apps in your environment are using Spring. What are some apps built on this platform?
That's a good technical write-up. I wonder how much of an issue this CVE will be compared to Log4Shell....
Depends a lot on how many Spring apps out there have the prereqs to be vulnerable. The widespread nature of Log4Shell is what made it “worse” than other RCE vulns. I don’t have a sense of how many vulnerable instances of this one might be out there but the number could be enormous.
Whether or not this turns out to have the same blast radius and Log4Shell, it has certainly captured a lot of attention. Lots and lots of folks using Tomcat...
If there are any for Java, can they be used with Spring Boot (Spring Framework)? Maybe there are some for in another programming language?