Log4j “nuclear-grade” vulnerability Log4Shell may affect the world forever. The U.S. Department of Homeland Security (DHS) Cybersecurity Review Board (CSRB) recently released its investigative report in response to last year’s Log4Shell vulnerability. The CSRB is an agency established by DHS only this February to investigate major cybersecurity incidents and provide reports containing recommendations to enhance the nation’s cybersecurity. The CSRB’s first investigation was into the “nuclear-grade” vulnerability that erupted in Log4j last year.
Information indicates that an RCE 0day vulnerability has been reported in the Spring Framework. If the target system is developed using Spring and has a JDK version above JDK9, an unauthorized attacker can exploit this vulnerability to remotely execute arbitrary code on the target device. 1. Vulnerability Situation Analysis The Spring framework is the most widely used lightweight open source framework for Java, and in the JDK9 version of the Spring framework (and above), a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path if certain conditions are met.