JavajavaTutorialThe persistent threat: Why major vulnerabilities like Logell and Springell remain significantThe persistent threat: Why major vulnerabilities like Logell and Springell remain significant
As developers, we're constantly juggling features, fixes, and deadlines. Yet, a lurking issue has been surprisingly overlooked: the continued use of vulnerable Log4j and Spring Framework versions in many projects. Despite the high-profile exposure of Log4Shell and Spring4Shell vulnerabilities, a shocking number of applications are still running on these ticking time bombs. This isn't just a minor oversight — it's a major risk. We're builders at heart, but part of building is ensuring our structures are safe.
The developer’s dilemma
As developers, we constantly balance pushing out new features and maintaining the existing projects and features. It's a balancing act that demands our time and full cognitive bandwidth. Keeping track of every project's dependencies while ensuring they're up to date can feel like an uphill battle, especially when the pressure is on to deliver new functionalities. Amid this juggling act, critical vulnerabilities like Log4Shell and Spring4Shell can sometimes fall through the cracks, not out of negligence but due to the sheer volume of tasks we manage daily. However, it is essential to recognize that the safety and security of exciting applications are crucial aspects of software development nowadays.
The current state of Log4shell
Remember Log4Shell? That nasty vulnerability in Apache Log4j found in 2021 that could let attackers run code on your server by logging a special string? An attacker could use a JNDI lookup with the LDAP protocol to inject a pre-compiled class file and execute malicious code. Even in newer versions of Java, this vulnerability could lead to damage due to deserialization attacks. The attack complexity of this critical vulnerability is considered very low, which makes the threat even higher than usual. Check our blog post for a full breakdown of the issue.
More than 20% of companies are still vulnerable to Log4shell.
Today, many companies still have an outdated, vulnerable version of the Log4j library in one of their projects. Of all Snyk customers that scan their production code for vulnerabilities, 21% still have projects vulnerable to Log4Shell. That means over 60k projects are still at risk of getting breached by a vulnerability disclosed and fixed over 2 years ago. That’s huge! Knowing that these companies already use security tooling and are actively mitigating the security issues they encounter, the actual number of vulnerable log4j versions in the wild will be much higher than that. That thought alone is not only scary but also very disturbing.
Spring4Shell in the wild
Another infamous example was Spring4Shell, which was disclosed in March 2022. The vulnerability in spring-beans could also lead to malicious remote code execution. Although the attack complexity was low, and there were exploits for specific cases, the impact was less significant than that of Log4Shell. Check out the dedicated blog post for more details.
By extending this vulnerability to Glassfish with a new exploit in April 2022, the Snyk team proved that this vulnerability is very significant and could be misused in many more cases outside of the first exploit for tomcat.
Similar to Log4Shell, we found that Spring4Shell is still applicable in the wild. About 35% of our customers still have the vulnerability in one of their projects. Even though the risk of a Spring4Shell breach was not as significant as that of Log4Shell, the Snyk team demonstrated a range of potential exploits by identifying and developing an exploit proof of concept (POC) for Glassfish. This proves that seemingly lesser dangers could still lead to significant security vulnerabilities. The fact that no exploit is published yet does not imply an application can’t be breached by a vulnerability!
Moreover, it shows that many Spring applications depend on older, outdated framework versions, and updating and servicing existing applications is considered unimportant. However, deep down, we know this is a ticking time bomb that can explode any minute.
Wakeup call to all who maintain applications
Let's keep this straightforward and to the point. We all know that feeling of pride when our code finally runs without a hitch, and the last thing we want to do is go back and mess with it, especially for something as silly as updating libraries. But here's the thing: those Log4Shell and Spring4Shell vulnerabilities aren't going to fix themselves. And honestly, they're not just tiny bugs we can ignore. They're gaping holes in the walls of our application. If you still have vulnerabilities like Log4Shell or Spring4Shell in your landscape, you are unnecessarily vulnerable to high-severity attacks!
Snyk can help you with this by detecting and helping to address security vulnerabilities in applications. It integrates with development workflows in several ways, such as through Git repositories, its Command Line Interface (CLI), or existing Continuous Integration (CI) pipelines, enabling developers to identify security risks early in the development cycle before they turn into bigger problems. Registration is free, allowing immediate access to its features. However, the real value lies in how the discovered vulnerabilities are managed and resolved post-identification.
We've got to take responsibility here. It's not just about finding a quick patch or hoping a simple update will do the trick. Sometimes, we need to make the hard call to remove or replace a vulnerable library. Yeah, it might slow us down a bit, and it's not the most exciting part of our job, but it's crucial. It's about ensuring our code is solid, not just for today but for the long haul.
So, let's not wait for someone else to fix these problems. With the proper tooling, we can spot these vulnerabilities early, but we've got to be the ones to take action. It's on us to shore up our defenses, patch up those vulnerabilities, and keep our applications safe and sound. Let's get to it, not just as coders, but as the folks who stand by their work, ensuring it's as secure as it can be.
The above is the detailed content of The persistent threat: Why major vulnerabilities like Logell and Springell remain significant. For more information, please follow other related articles on the PHP Chinese website!
How does platform independence benefit enterprise-level Java applications?May 03, 2025 am 12:23 AMJava is widely used in enterprise-level applications because of its platform independence. 1) Platform independence is implemented through Java virtual machine (JVM), so that the code can run on any platform that supports Java. 2) It simplifies cross-platform deployment and development processes, providing greater flexibility and scalability. 3) However, it is necessary to pay attention to performance differences and third-party library compatibility and adopt best practices such as using pure Java code and cross-platform testing.
What role does Java play in the development of IoT (Internet of Things) devices, considering platform independence?May 03, 2025 am 12:22 AMJavaplaysasignificantroleinIoTduetoitsplatformindependence.1)Itallowscodetobewrittenonceandrunonvariousdevices.2)Java'secosystemprovidesusefullibrariesforIoT.3)ItssecurityfeaturesenhanceIoTsystemsafety.However,developersmustaddressmemoryandstartuptim
Describe a scenario where you encountered a platform-specific issue in Java and how you resolved it.May 03, 2025 am 12:21 AMThesolutiontohandlefilepathsacrossWindowsandLinuxinJavaistousePaths.get()fromthejava.nio.filepackage.1)UsePaths.get()withSystem.getProperty("user.dir")andtherelativepathtoconstructthefilepath.2)ConverttheresultingPathobjecttoaFileobjectifne
What are the benefits of Java's platform independence for developers?May 03, 2025 am 12:15 AMJava'splatformindependenceissignificantbecauseitallowsdeveloperstowritecodeonceandrunitonanyplatformwithaJVM.This"writeonce,runanywhere"(WORA)approachoffers:1)Cross-platformcompatibility,enablingdeploymentacrossdifferentOSwithoutissues;2)Re
What are the advantages of using Java for web applications that need to run on different servers?May 03, 2025 am 12:13 AMJava is suitable for developing cross-server web applications. 1) Java's "write once, run everywhere" philosophy makes its code run on any platform that supports JVM. 2) Java has a rich ecosystem, including tools such as Spring and Hibernate, to simplify the development process. 3) Java performs excellently in performance and security, providing efficient memory management and strong security guarantees.
How does the JVM contribute to Java's 'write once, run anywhere' (WORA) capability?May 02, 2025 am 12:25 AMJVM implements the WORA features of Java through bytecode interpretation, platform-independent APIs and dynamic class loading: 1. Bytecode is interpreted as machine code to ensure cross-platform operation; 2. Standard API abstract operating system differences; 3. Classes are loaded dynamically at runtime to ensure consistency.
How do newer versions of Java address platform-specific issues?May 02, 2025 am 12:18 AMThe latest version of Java effectively solves platform-specific problems through JVM optimization, standard library improvements and third-party library support. 1) JVM optimization, such as Java11's ZGC improves garbage collection performance. 2) Standard library improvements, such as Java9's module system reducing platform-related problems. 3) Third-party libraries provide platform-optimized versions, such as OpenCV.
Explain the process of bytecode verification performed by the JVM.May 02, 2025 am 12:18 AMThe JVM's bytecode verification process includes four key steps: 1) Check whether the class file format complies with the specifications, 2) Verify the validity and correctness of the bytecode instructions, 3) Perform data flow analysis to ensure type safety, and 4) Balancing the thoroughness and performance of verification. Through these steps, the JVM ensures that only secure, correct bytecode is executed, thereby protecting the integrity and security of the program.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
WebStorm Mac version
Useful JavaScript development tools
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
Dreamweaver CS6
Visual web development tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
