Hello folks, it seems like the shell ordeal isn’t done. While I’ve only seen one article to date, let’s be clear, from what I’m reading, we shouldn’t put our hair on fire yet.
While Log4J seemed bad at first glance, it could still be utalized, and this may also be utalized if the right circumstances are met.
According to the article we’re going to link to later, they’re porting this one of the gravest Internet threats ever to hit the Internet.
So far, we don’t know of any exploits of this Spring Shell, as Ars is correctly targeting this as, according to what I’ve read.
One of the first reports by a group I’m not familiar with, indicate that this is the worst ever.
I’m not going to bash the publication Cyber Kendra, I’ve never heard of them. But if this is truly distructive, than that’s fine, but from what I’m reading here, it isn’t what is claimed. I do, however, want to keep in mind that anything is possible, and something that isn’t necessarily bad to start, could in theory turn bad. So, I’ll write publicly that it is possible for this to turn bad, but this article indicates that it isn’t so bad.
For those who want to venture to read one of the first posts, please do so but I’m not responsible for it. I’ve not read it, and right now, I am not going to touch it.
The hype train started on Wednesday after a researcher published a proof-of-concept exploit that could remotely install a web-based remote control backdoor known as a web shell on a vulnerable system. People were understandably concerned because the vulnerability was so easy to exploit and was in a framework that powers a massive number of websites and apps.
The article continues:
The vulnerability resides in two Spring products: Spring MVC and Spring WebFlux, which allow developers to write and test apps. The flaw results from changes introduced in JDK9 that resurrected a decade-old vulnerability tracked as CVE-2010-1622. Given the abundance of systems that combine the Spring framework and JDK9 or later, no wonder people were concerned, particularly since exploit code was already in the wild (the initial leaker quickly took down the PoC, but by then it was too late.)
They did say that this does run under certain circumstances but under default circumstances, people should be fine.
Here is a publication from Spring which was linked within the article.
If you know you run Spring, you should read this article, and make sure you take their advice. They know their products better than I do, so please keep that in mind.
To read more, please read the ars technica post titled Explaining Spring4Shell: The Internet security disaster that wasn’t and this will be our topic for this week.
Note that the time is going to be 11 am PT, 2 ET on Clubhouse. Look for the pubblic room that starts TSB89. We hope to see you then!In the meantime, please read the article and information here, so you’re aware of what is going on. Its better to be aware, than it is not to be and find out its bigger than we thought.
Thanks for reading and participating on the blog and podcasts!
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.