Millions of Installations Potentially Vulnerable to Spring Framework Flaw
On Monday, cybersecurity firms were able to produce two data points that estimate how many Spring Framework installations are vulnerable to a recently reported flaw. The flaw is referred to as Spring4Shell or SpringShell, and is tracked as CVE-2022-22965. According to security researchers, anywhere from hundreds of thousands to millions of downloads are affected. Details regarding the flaw were released just 24 hours after it was disclosed to the Spring Project, resulting in a scramble to determine which versions were affected and how many devices were impacted.
Security researchers conducted scans to determine how many devices were impacted, concluding that 150,000 vulnerable devices exist. The scans consisted of a quarter of the internet. As many as 600,000 devices may contain the vulnerable component that can be exploited by hackers via the leaked code. In addition, SecurityScorecard deployed honeypot servers that will work to detect active attempts to exploit the recently reported flaws.