%term

Browsers tormented by open roll vulnerability

Apr 1, 2022 By Kyle Suero, Aviad Hahami In Snyk

“Never click unexpected links!” Ever hear someone yell this? Virtually every person in tech has a healthy suspicion of random links; it is for a good reason. Every now and then there are huge leaks from industry leaders as a result of a targeted campaign. One of the most reliable ways to “phish” someone, or exfiltrate their credentials, is to abuse an open redirect vulnerability in a safe-looking website and redirect the victims to a malicious one.

Read Post

Snyk

Read more about Browsers tormented by open roll vulnerability

Spring4Shell: 12 year old vulnerability springs back to life

Apr 1, 2022 By SecurityScorecard In SecurityScorecard

On Thursday, March 31st a patch for a widely used Java framework called the Spring Framework was given the designation CVE-2022-22965 with a CVSS Score of 9.8. That’s bad news for a lot of companies that make use of this framework for delivery of their web applications, services and APIs. This is a remote code execution (RCE) vulnerability and the ease of exploitation is partly why it has earned a 9.8 out of 10 on the CVSS Score.

Read Post

SecurityScorecard

Read more about Spring4Shell: 12 year old vulnerability springs back to life

Spring4Shell Vulnerability vs Log4Shell Vulnerability

Apr 1, 2022 By Hope Goslin In Veracode

On March 29, 2022, details of a zero-day vulnerability in Spring Framework (CVE-2022-22965) were leaked. For many, this is reminiscent of the zero-day vulnerability in Log4j (CVE-2021-44228) back in December 2021.

Read Post

Veracode

Read more about Spring4Shell Vulnerability vs Log4Shell Vulnerability

Spring4shell - RCE in Spring Framework?

Apr 1, 2022 By Andreas Sommarström In Bytesafe

A critical remote code execution (RCE) vulnerability was identified March 30th, 2022 for the Spring Framework. Spring core, used by millions of systems to develop Java web applications quickly, is one of the Java world’s most popular open source Java frameworks. The RCE vulnerability, if successfully exploited could potentially allow an attacker to take control of a vulnerable system.

Read Post

Bytesafe

Read more about Spring4shell - RCE in Spring Framework?

Vulnerability Management - Intro to Torq Webinar

Mar 31, 2022 By Torq In Torq

As recent vulnerabilities like log4j have shown, having a standardized approach to identifying vulnerabilities and applying patches is essential to organizations looking to keep their systems safe from exploits. Whether it's preventative maintenance or responding to new 0-days, a continuous vulnerability management program ensures that security teams can rapidly identify risks and work cross-functionally to deploy patches and verify successful remediation.

View Video

Torq

Read more about Vulnerability Management - Intro to Torq Webinar

Veracode Product Update

Mar 31, 2022 By Veracode In Veracode

This episode of Veracode Insiders features Elisa Velarde, Senior Product Marketing Manager, here at Veracode. Tune in for an update on a new product enhancement that allows your security team to find log4shell at runtime.

View Video

Veracode

Read more about Veracode Product Update

SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know

Mar 31, 2022 By Shachar Menashe In JFrog

On March 29th, the cyberkendra security blog posted a sensational post about a Log4Shell-equivalent zero-day vulnerability in Spring Framework, but without any solid details about the vulnerability itself.

Read Post

JFrog

Read more about SpringShell (Spring4Shell) Zero-Day Vulnerability CVE-2022-22965 : All You Need To Know

Spring4Shell: The zero-day RCE in the Spring Framework explained

Mar 31, 2022 By Brian Vermeer In Snyk

On March 30, 2022, a critical remote code execution (RCE) vulnerability was found in the Spring Framework. More specifically, it is part of the spring-beans package, a transitive dependency in both spring-webmvc and spring-webflux. This vulnerability is another example of why securing the software supply chain is important to open source.

Read Post

Snyk

Read more about Spring4Shell: The zero-day RCE in the Spring Framework explained

Dissecting Spring4Shell

Mar 31, 2022 By Blueliv In Outpost 24

An RCE vulnerability affecting Spring Core’s JDK 9 and later has become a trending topic in cybersecurity networks during the past couple days. This discovery, compared by some to the Log4Shell vulnerability, generated a lot of confusion and even got mistook with a different vulnerability affecting Spring Cloud, which got a CVE assigned the same day, and even linked them to completely unrelated commits on Spring Core’s GitHub.

Read Post

Outpost 24

Read more about Dissecting Spring4Shell

The Next Log4Shell? Spring4Shell Hitting Waves.

Mar 31, 2022 By Research Team In Cyberint

A new vulnerability was found in the Spring Core module of the Spring Framework. This was discovered by a Chinese security researcher, posting a Proof-of-Concept (POC) on GitHub (Figure 1), which later was deleted. This vulnerability is a zero-day, which currently wasn’t assigned a CVE, and was dubbed by security researchers as “Spring4Shell” or “SpringShell”, after the recent vulnerability in the Log4j Java package, discovered last December, and made waves worldwide.

Read Post