Source |
Veracode |
Identifiant |
4484274 |
Date de publication |
2022-04-20 18:35:10 (vue: 2022-04-20 23:06:27) |
Titre |
Just Because You Don\'t Use Log4j or Spring Beans Doesn\'t Mean Your Application is Unaffected |
Texte |
By now, you're probably all aware of the recent Log4j and Spring Framework vulnerabilities.
As a recap, the Log4j vulnerability – made public on December 10, 2021 – was the result of an exploitable logging feature that, if successfully exploited, could allow attackers to perform an RCE (Remote Code Execution) and compromise the affected server.
The Spring Framework vulnerability – made public on March 29, 2021 – was caused by unforeseen access to Tomcat's ClassLoader as a result of the new Module feature added in Java 9. The access could potentially allow an attacker to write a malicious JSP file accessible via the application server.
Just because your organization isn't using a vulnerable version of Log4j or Spring doesn't mean that you aren't using a Java component or development framework that relies on Log4j or Spring Beans. For example, Apache Struts2, ElasticSearch, Apache Kafka, among others, call on Log4j.
Our co-founder and CTO, Chris Wysopal explained:
“There… |
Envoyé |
Oui |
Condensat |
2021 access accessible added affected all allow among apache application aren attacker attackers aware beans because call caused chris classloader code component compromise could cto december development doesn don elasticsearch example execution explained: exploitable exploited feature file founder framework isn java jsp just kafka log4j logging made malicious march mean module new now organization others perform potentially probably public rce recap recent relies remote result server spring struts2 successfully tomcat unaffected unforeseen use using version vulnerabilities vulnerability vulnerable write wysopal you your “there… |
Tags |
Vulnerability
|
Stories |
|
Notes |
|
Move |
|