Explaining Spring4Shell: The Internet security disaster that wasn’t

Explaining Spring4Shell: The Internet security disaster that wasn’t

2 years ago
Anonymous $R5WK5a8uaN

https://arstechnica.com/information-technology/2022/04/explaining-spring4shell-the-internet-security-disaster-that-wasnt/

Hype and hyperbole were on full display this week as the security world reacted to reports of yet another Log4Shell. The vulnerability came to light in December and is arguably one of the gravest Internet threats in years. Christened Spring4Shell—the new code-execution bug in the widely used Spring Java framework—quickly set the security world on fire as researchers scrambled to assess its severity.

One of the first posts to report on the flaw was tech news site Cyber Kendra, which warned of severe damage the flaw might cause to “tonnes of applications” and “can ruin the Internet.” Almost immediately, security companies, many of them pushing snake oil, were falling all over themselves to warn of the imminent danger we would all face. And all of that before a vulnerability tracking designation or advisory from Spring maintainers was even available.