Hello, welcome to the Friday, April 1st, 2020 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, today we got some word from the Spring Project itself regarding the vulnerability that has commonly been referred to as Spring for Shell. It now has

a CBE 2022-22-965 and they provided some guidance on when you may or may not be vulnerable

to this particular problem. First of all, you need to be running JDK9 or later.

That already has been known yesterday.

Also, you need to be using the Spring MVC or the Spring Webflux components in order to be vulnerable.

More details within our diary and also, of course, from the advisory that was

published by Spring. Now, we are seeing a number of exploit attempts for this vulnerability.

Nothing really too crazy at this point. Actually, quite a few less than what we saw with Log 4J, less researchers at

this point sort of probing it. And really, the probes we see so far are really just sort of

checking it out, seeing if you may be vulnerable, also looking for already pre-installed web shells,

because one way this vulnerability would be

exploited is by someone essentially reconfiguring, logging in the application in order to

create a web shell on the vulnerable system. So in short, no log for Jay as far as the scale

of this vulnerability goes.

Only very specific applications are vulnerable, but if you're running one of those applications

that uses these particular libraries in the particular configuration, then you certainly

should update and patches are available now. But hey, if you don't have any Java applications to patch,

maybe take a look at your Apple devices.

Apple today released updates for MacOS,

Catalina, iOS, and iPadOS.

And two vulnerabilities are being addressed here.

...