What is Spring4shell? + Should we be concerned?

April 7, 2022
  • Just as we are making peace with Log4J, the gift that seems to keep giving – we now have Spring4Shell. So what is Spring4Shell? It’s a code injection flaw in the Spring Cloud computing framework that poses a remote attack risk. Spring Cloud for anyone who isnt familiar with it is an open-source library that provides tools for quickly deploying Java Virtual Machine based application on Cloud. Spring4Shell is a critical vulnerability in VMWare’s open source Spring Framework’s Java-based Core module and, if exploited, it can be used to achieve remote code execution. Microsoft has shared a blog on this sharing that it has  tracked a “low volume” of exploit attempts across its cloud services using Spring4Shell, with many attempts aligned with the basic web shell p roof-of-concept (PoC) code available online. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert alongside VMware and is urging administrators to apply fixes to resolve these issues urgently. A patch has been released for this vulnerability and is available here.
  • If you have been listening to the Cloud Native Security Month on Cloud Security Podcast this month then this news is for you. Amazon EKS (Elastice Kubernetes Service) now supports Kubernetes ver 1.22 and will soon ver1.23 which will mark the end of support for Dockershim in AWS EKS. From ver1.23 you can still create an amazon machine image with dockershim if you like but Dockershim will not be available in optimized Amazon EKS. This is your prompt to migrate to a different container runtime before support is removed in the next Amazon EKS major release (1.23).
  • We are often talking about the AWS, GCP and Azure’s of the World, but IBM Cloud, Oracle Cloud and Alibaba are also making their mark in the Cloud Landscape. IBM this week launched IBM® z16™ calling it  the next-generation system that will bring real-time AI for transaction processing at scale. IBM have shared that this is an open, agile platform that integrates into a hybrid cloud environment with industry-leading security, data privacy and latency. IBM shared that they are prioritizing security and cyber resilience through their IBM Z Security and Compliance Center, which provides system collected evidence to be used in an audit report and IBM Z Flexible Capacity for Cyber Resiliency  designed to allow clients to fully automate the swap from participating IBM z16 production systems to backup systems at different sites. You can read their blog here and let us know if IBM cloud is on your radar.
  • Ever heard of the Motion Picture Association – well they are a American trade association representing the likes of Disney, Netflix, Warner Bros, Paramount, Universal and Sony Pictures. They are looking to fight Piracy with Cloud Security.
  • They have a content security initiative called The Trusted Partner Network (TPN). Over the next 12 months, TPN will roll out an enhanced version of its  program including updated security best practice guidelines for cloud workflows to provide vendors with the ability to report alternate security certifications to support the urgent need for a centralized, confidential and flexible content security solution. Next month, TPN will begin a pilot program to test its updated guidelines with an emphasis on cloud security. This includes the participation of the Hollywood studios as well as individuals and organizations with cloud security expertise, including the Cloud Security Alliance. You can find out more about this initiative here.
  • We all love a good open source tool, something that starts with a great idea and the community builds upon. Recently, Lightspin, an Israeli  multicloud CNAPP solution company released recon.cloud, the first free AWS cloud security tool that scans any and all domains to reveal publicly exposed cloud assets. Recon.cloud  filters the cloud assets specifically, providing the relevant metadata. You can find check it out for yourself on this link and let us know what you think of it.

If you are looking to learn more about Kubernetes and Cloud Native Security – be sure to check out the Cloud Native Month on Cloud Security Podcast

And the next thing on the radar should be the upcoming KubeCon + CloudNativeCon

Recommend a topic

Partner with us

Join the team

Enjoying our content? Don't forget to subscribe!