An RCE in Spring was posted[0] about last night on HN but a ton of people have been getting confused by the fact that there are TWO new vulnerabilities being discussed.
I just wrote this post up to help with the confusion around these exploits. As with Log4Shell, it's still very early and we don't have enough details to say exactly _what_ the situation is for how widely exploitable this is. With Log4Shell it turned out to be pretty freakin' bad because of all of the vendor software affected.
Hopefully with this post we can get some more eyes on this to help avoid confusing these vulnerabilities and creating a panic before we have more answers about the exploitability.
An RCE in Spring was posted[0] about last night on HN but a ton of people have been getting confused by the fact that there are TWO new vulnerabilities being discussed.
I just wrote this post up to help with the confusion around these exploits. As with Log4Shell, it's still very early and we don't have enough details to say exactly _what_ the situation is for how widely exploitable this is. With Log4Shell it turned out to be pretty freakin' bad because of all of the vendor software affected.
Hopefully with this post we can get some more eyes on this to help avoid confusing these vulnerabilities and creating a panic before we have more answers about the exploitability.
0: https://news.ycombinator.com/item?id=30851919
1: https://www.lunasec.io/docs/blog/log4j-zero-day