WhiteSource Spring4Shell Detect, a free command-line interface (CLI) tool that swiftly searches projects for susceptible open-source libraries for CVE-2022-22965, also known as Spring4Shell, was released today by WhiteSource, a leader in application security. Spring4Shell is a remote code execution (RCE) vulnerability in Spring, one of the most widely used open-source Java frameworks today. While we are still learning about this vulnerability, its impact is anticipated to be comparable to that of Log4j, and it has a severity level of 9.8. WhiteSource’s free developer tool, which is currently accessible on GitHub, gives developers the exact path to direct and indirect dependencies, as well as the patched version, so they can fix them quickly.
Increasing the possibility of global prevalence and risks because of this zero-day vulnerability, WhiteSource advises companies to take the following steps to resolve and avoid future incidents:
- Upgrade to the most recent version of Spring Framework if you have any vulnerable versions. Use tools like WhiteSource Renovate to update your libraries automatically with the most recent updates.
- Inventory your whole program list to find all CVE-2022-22965 instances. WhiteSource’s free detection tool can help with this.
- For each program in your environment, create a software bill of materials (SBOM). An SBOM gives you access to your whole software attack surface, including direct and indirect dependencies, and allows you to respond fast to vulnerability announcements.
The CEO at WhiteSource, Rami Sass, stated, “Organizations and security teams must approach Spring4Shell with the same attention and urgency they did with the recent Log4j vulnerability. This vulnerability highlights the importance of a proactive approach to software security and the need for more automated application security to be baked into the development lifecycle. Ensure you are handling your technical debt, and update.”
With over several downloads, WhiteSource Renovate automatically uploads prerequisites and has found and mitigated the Spring4Shell vulnerability for large numbers of businesses.