80% of Spring framework downloads are exploitable versions

80% of Spring framework downloads are exploitable versions
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter: @Gadget_Ry

Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions.

Spring is a mighty popular framework—often ranking in the top three most-used Java frameworks. That’s why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher ahead of an official CVE publication.

Spring4Shell allows unauthenticated remote code execution. This week, the US government’s Cybersecurity & Infrastructure Security Agency (CISA) added Spring4Shell to its list of known exploited vulnerabilities.

Patched versions of Spring are now available but a majority of developers are still downloading vulnerable iterations. Spring-framework v5.2.20 and newer aren’t impacted by Spring4Shell.

Sonatype has created a live dashboard to keep track of downloads of vulnerable Spring components:

Researchers are split on the potential severity of Spring4Shell.

Although comparable to Log4Shell in terms of the popularity of vulnerable components, Spring4Shell is not believed to be as critical due to requiring specialised conditions and an easy-to-replicate attack vector is yet to be observed. However, that might change and it’s better to err on the side of caution.

The best course of action is to ensure you’re not using any vulnerable Spring4Shell components in your Java projects.

Related: Google wants to increase government collaboration to secure open-source

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published.