Just a few months after the Log4j Java library was discovered to have a vulnerability (called Log4Shell) that not only affected many software products but also reportedly affected several critical OT devices; a new vulnerability affecting Java’s most popular framework Spring has been discovered.
Operational Technology (OT) and the Log4Shell vulnerability
On the 24th November 2021, the Alibaba Cloud Security team privately notified Apache about a new vulnerability in a very popular Java programming language library called Log4j. The vulnerability became public knowledge on the 9th December 2021 and officially published in CVE databases during the 11th & 12th December 2021.