80% of Spring framework downloads are workable builds
Sonatype data suggests that 80% of Spring framework downloads are always working versions.
Spring is a very popular frame, which often ranks in the top three most used Java frameworks. This is why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher before an official CVE release.
Spring4Shell allows unauthenticated remote code execution. This week, the US government’s Cybersecurity & Infrastructure Security Agency (CISA) added Spring4Shell to its list of known exploited vulnerabilities.
Patched versions of Spring are now available, but the majority of developers are still uploading vulnerable iterations. Spring-framework v5.2.20 and later versions are not affected by Spring4Shell.
Sonatype created a live dashboard to track downloads of vulnerable Spring components:
Researchers are divided on the potential seriousness of Spring4Shell.
Although comparable to Log4Shell in terms of popularity of vulnerable components, Spring4Shell is not considered as critical as it requires specialized conditions and an easy-to-replicate attack vector has not yet been observed. However, that could change and it is best to err on the side of caution.
The best thing to do is to make sure that you are not using any vulnerable Spring4Shell components in your Java projects.
Related: Google wants to increase government collaboration to secure open source
Want to learn more about cybersecurity from industry leaders? To verify Cybersecurity and Cloud Expo. The next events in the series will take place in Santa Clara on May 11 and 12, 2022, in Amsterdam on September 20 and 21, 2022 and in London on December 1 and 2, 2022.
Check out other upcoming enterprise technology events and webinars powered by TechForge here.