Skip to content

Spring4Shell and Other Bugs Make Patching Top Priority for Business

The dangers of the Spring4Shell hack are not yet clear, but business leaders must take time to review patch protocols and other cyber hygiene basics.

Long Read

Like locusts, zero-day bugs keep coming. The latest, dubbed Spring4Shell, is a vulnerability in VMware’s Spring product,
an open-source Java toolkit for building apps. No one yet knows how problematic this flaw will be.

As with the similarly named Log4Shell vulnerability, which researchers publicly disclosed in December 2021, it will require quick collaborative action on the part of cybersecurity professionals and software developers. That collaboration is taking shape.

Know your IT risk posture

The new hack, revealed March 31, is the second Spring bug reported in a week, and comes just days after Google announced that its Chrome browser, used by an estimated 3.2 billion people, contained a zero-day flaw in its JavaScript engine. Microsoft’s Edge browser suffered the same bug. Both companies issued patches and urged users to update those browsers as soon as possible.

Software flaws are fixable. But only if you patch your stuff. And while patching may be the job of IT ops teams, board members and C-suite executives are increasingly stepping into the conversation. They are asking their CISOs, CIOs, and others if they have appropriate patch management strategies in place. And if not, why not? Such talks are long overdue.

Looking to start your own conversation? Here’s what business and tech leaders need to know about the best approaches.

Learn the basics of patch management

A zero-day is the most dangerous form of vulnerability, known to hackers before software vendors or users are aware of it. The zero-day security flaw announced by Google affects Chrome users on Windows, macOS, and Linux, and users of Microsoft’s Edge browser. Google notes the threat level is high, but has released no further information.

Google notes the threat level is high, but has released no further information.

In situations like these, business leaders must think like oncologists. They may not fully understand the cancer, but they should be fully versed in the treatment.

That means understanding the steps involved in effective patch management. These include scanning for available patches, prioritizing which are most important to an organization, then installing, testing, and documenting your configurations.

Automated patch management can help simplify that process, especially for enterprises that boast hundreds, if not thousands, of endpoints. Automation ensures that no vulnerabilities are left unaddressed. And that’s just one of its multiple benefits.

[Read more: What is patch management?]

Be prepared for software patching challenges

On Monday, March 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned federal civilian agencies to patch the Chrome flaw. It gave them three weeks to do so. The ASAP mandate is nothing new. CISA issued an emergency directive in December, requiring agencies to fast-track the patching of networks for the Log4j vulnerability. Log4j, an open-source logging utility, is used in millions of Java applications, and its exploit caused widespread concern, leading to renewed interest in patch management from business and tech leaders.

Suzanne Spaulding, a senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, called CISA’s patching directives “risk management 101.”

That means software patching is essential. But it can also be complicated. In December 2021, Endpoint laid out the need for speed in such endeavors, the bumps along the way, and the steps to overcome those bumps. Step one: Establish a thorough asset discovery and inventory process.

[Read also: CISA—Federal agencies must urgently patch Log4j vulnerability]

Look for software vulnerabilities in your supply chain

For business and tech leaders still jittery from the Log4j bug, the news about the latest Spring vulnerability caused some déjà vu. But it was also a reminder that third parties in your network ecosystem can open a back door to hackers.

“Organizations probably have more third parties in their ecosystem than ever before,” warned Sandy Carielli, a principal analyst at Forrester, during the company’s Security & Risk Forum 2021.

Too many organizations haven’t changed the way they mitigate business technology and third-party risks. That has to change. In December 2021, Endpoint took a deep dive into supply chain hacks—how they work (it’s less complicated than you might think), who’s affected (that would be all of us), and why they continue to be so successful. (There are common mistakes businesses and other groups make that help attackers do their dirty work.)

[Read also: Taming supply chain risks in the wake of the Log4j vulnerability]

This week’s news will no doubt have a lot of people logging onto CISA’s Known Exploited Vulnerabilities Catalog. CISA adds new vulnerabilities to this database based on evidence of active exploitation. Originally designed and tailored for federal agencies, the database is a useful go-to for anyone, and CISA encourages businesses and other entities to use the information there as a guide to significant cybercriminal activity.

As recent headlines show—“CISA Adds Five Known Exploited Vulnerabilities to Catalog,” “Eight Vulnerabilities Added,” “Nine,” “32,” “66”—the hits just keep coming.

Best to keep that CISA page bookmarked.

Joseph V. Amodio

Joseph V. Amodio is an experienced journalist who has covered the change-makers and latest developments in a variety of fields, including health and medicine. His work has appeared in The New York Times Magazine, Newsday, CNN.com and numerous other media outlets.