In fact, Spring4Shell has been added to Log4Shell, another very important vulnerability that allows you to execute code remotely (RCE) in Spring, one of the most popular open source frameworks for Java applications. Thanks to the developers of WhiteSource, as reported by colleagues at HelpNetSecurity, it seems that the situation is back under control through a tool, made available for free, which identifies and solves the problem.
Organizations and security teams need to approach Spring4Shell with the same attention and urgency they have had with the recent Log4j vulnerability. This vulnerability highlights the importance of a proactive approach to software security and the need for more automated application security to be incorporated into the development lifecycle. Be sure to manage your technical debt and stay up to date.
For the occasion, WhiteSource also offered some useful advice to companies in order to avoid similar situations in the future. Among the good habits to follow we find the need to always update Spring to the latest version, generate a "software bill of materials" (SBOM) for all applications in the environment and more.
Photo Credit: WhiteSource