Source |
Veracode |
Identifiant |
4382630 |
Date de publication |
2022-04-01 19:51:15 (vue: 2022-04-02 00:05:27) |
Titre |
Spring4Shell Vulnerability vs Log4Shell Vulnerability |
Texte |
On March 29, 2022, details of a zero-day vulnerability in Spring Framework (CVE-2022-22965) were leaked. For many, this is reminiscent of the zero-day vulnerability in Log4j (CVE-2021-44228) back in December 2021.
What is the difference between the vulnerabilities?
The Spring Framework vulnerability was caused by unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. The access could potentially allow an attacker to write a malicious JSP file accessible via the application server.
On the other hand, the Log4j vulnerability was the result of an exploitable logging feature. If the logging feature is successfully exploited on your infrastructure, attackers can perform an RCE (Remote Code Execution) attack and compromise the affected server.
What is the scope of the vulnerabilities?
Since we are a cloud-based Software Composition Analysis (SCA) provider, we are able to leverage data on the scope of the vulnerabilities.
As we… |
Envoyé |
Oui |
Condensat |
2021 2022 22965 44228 able access accessible added affected allow analysis application are attack attacker attackers back based between can caused classloader cloud code composition compromise could cve data day december details difference execution exploitable exploited feature file framework hand infrastructure java jsp leaked leverage log4j log4shell logging malicious many march module new of the vulnerabilities other perform potentially provider rce reminiscent remote result sca scope server since software spring spring4shell successfully tomcat unforeseen vulnerabilities vulnerability we… what write your zero |
Tags |
Vulnerability
|
Stories |
|
Notes |
|
Move |
|