On Wednesday, April 6, 2022, VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass. In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure.

Several vulnerabilities for Java Spring framework have been disclosed in the last hours and classified as similar as the vulnerability that caused the Log4Shell incident at the end of 2021. However, as of the publishing of this report, the still ongoing disclosures and events on these vulnerabilities suggest they are not as severe as their predecessor.

Application Programming Interface (API) attacks are set to become one of the most prevalent cyberattacks with a broad target range. By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII), causing APIs to become a target for attackers. In 2019, Gartner predicted that API hacks would become the most common form of cyberattacks in 2022. So how can teams stay ahead of API attacks?

At the end of March 2022, two critical vulnerabilities (CVE-2022-22963 and CVE-2022-22965) were discovered in different components of VMware Spring. Spring is a popular framework focused on facilitating the development of Java applications, including cloud-based apps, eliminating the need for additional code or concerns related to server requirements.

With more than 38 percent of our customers impacted by the recently discovered Spring4 Shell zero-day vulnerability and more than 33 percent of impacted organizations having already remediated (removed) some or all their vulnerable libraries, I have been involved in many conversations over this incident.

Directory traversal vulnerabilities (also known as path traversal vulnerabilities) allow bad actors to gain access to folders that they shouldn’t have access to. In this post, we are going to take a look how directory traversal vulnerabilities work on web servers written on C/C++, as well as how to prevent them.

On Thursday, March 31, 2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. GitLab is DevOps software that combines the ability to develop, secure, and operate software in a single application. The exploitation of CVE-2022-1162 can allow a threat actor to guess a hard-coded password for any GitLab account with relative ease.

On March 29, 2022, a critical vulnerability targeting the Spring Java framework was disclosed. This vulnerability was initially confused with a vulnerability in Spring Cloud, CVE-2022-22963. However, it was later identified as a separate vulnerability inside Spring Core, now tracked as CVE-2022-22965 and canonically named Spring4Shell.

Our security researchers, engineers, and our Crowdsource community are actively working on understanding the vulnerabilities and developing tests. We have received a dozen POCs already and anticipate more over the coming days. While the situation is rapidly developing, here is what we know so far. The Spring Cloud Function vulnerability (CVE-2022-22963) was disclosed and patched earlier this week.

On Wednesday 30th March 2022, news was disclosed online about an unauthenticated RCE zero-day vulnerability in Spring Core, a framework for building modern Java-based enterprise applications.