Explaining Spring4Shell: The Internet security disaster that wasn’t

by
Dan Goodin
from Ars Technica - All content on (#5XRXK)
mass-panic-800x566.jpeg

Enlarge (credit: Getty Images)

Hype and hyperbole were on full display this week as the security world reacted to reports of yet another Log4Shell. The vulnerability came to light in December and is arguably one of the gravest Internet threats in years. Christened Spring4Shell-the new code-execution bug is in the widely used Spring Java framework-the threat quickly set the security world on fire as researchers scrambled to assess its severity.

One of the first posts to report on the flaw was on tech news site Cyber Kendra, which warned of severe damage the flaw might cause to tonnes of applications" and claimed that the bug can ruin the Internet." Almost immediately, security companies, many of them pushing snake oil, were falling all over themselves to warn of the imminent danger we would all face. And all of that before a vulnerability tracking designation or advisory from Spring maintainers was even available.

All aboard

The hype train started on Wednesday after a researcher published a proof-of-concept exploit that could remotely install a web-based remote control backdoor known as a web shell on a vulnerable system. People were understandably concerned because the vulnerability was so easy to exploit and was in a framework that powers a massive number of websites and apps.

Read 14 remaining paragraphs | Comments

index?i=Dp4CzvWCILM:cRA7mH3I53I:V_sGLiPB index?i=Dp4CzvWCILM:cRA7mH3I53I:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments