Will Spring4Shell and Log4Shell change the view on community projects?
At the end of March 2022, a serious security vulnerability was discovered in Spring Framework. All versions of spring-core were affected if used with Java 9 and newer. Unfortunately, it happened soon after Log4Shell.
Java devops have not had much time to rest since the infamous Log4Shell security issue. Then, it was possible to remotely execute code using Log4j library that was and still is widely used in the industry.
After all the mess that was involved in Log4Shell remediation - massive Log4j upgrades, we hoped that it will take years until anything new that size will be discovered. That thinking was completely justified, usually widely used libraries does not have security issues for long. Simply, too many projects use them, and always someone finds and solves the problem quickly.
Log4Shell has been one from a very long time that big. I saw comments like that happens when a community project does not have serious commercial support. Yes, so besides licensing, should we also check finances of the supporting community? Well, it could be enough, until this week...
The problem found in spring-core is not something new. It is not that the only last releases are affected. Currently, we know that it has lasted at least since JDK 9. Knowing how popular Spring Framework is, it is a big deal. Once again devops around the globe upgrade their projects. Although doing it under time pressure might be frustrating, it is a good thing. We all should try to keep the libraries up to date.
That is reasonable to solve the problem, wait for the dust to settle and think how to prevent it in the future. It is a wise thing to do.
However, I am afraid of one thing. I have not heard it yet, but some people will start asking questions why are we using community libraries instead building everything in-house?. I really hope I am wrong. I do not want to be back in the 90s when every company created their own frameworks doing exactly the same.
Useful information regarding the technical side of Spring4Shell are on https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/