Spring4Shell – What the H…?

Spring4Shell – What the H…?

Apr 5, 2022 | Vendor Risk Management

Spring4Shell

As numerous reputable security and analysis organizations continue to weigh the criticality of the recent Spring4Shell (aka: “SpringShell”) vulnerability, Shared Assessments has opted to take a neutral stance as to its prevalence and criticality. Regardless of this, it is crucial to continuously monitor all threat environments and to act prudently and proportionately.

One way to go about this is to have continuous dialogue with your internal security and infrastructure teams and with your vendors and other downstream suppliers as to how these known and horizon vulnerabilities may affect both them and you.

Adjust KRIs

Business units typically engage their vendors and suppliers with periodic meetings to discuss key performance indicators (KPI) and mature third-party risk management (TPRM) programs should do the same. By periodically engaging with the business unit, critical suppliers, and other third-party providers, to discuss the known and perceived threat environment, TPRM teams are staying ahead of the curve in identifying, monitoring the threat, gauging risk, and if needed, modifying the key risk indicators (KRI) that could potentially cause disruption or harm to your most critical business processes.

As risk professionals, the information you gain from these encounters with your vendor ecosystem is crucial to document in the organization’s risk registry, along with updating the risk categories in the vendor repository. Additionally, concerns over recent vulnerabilities such as Spring4Shell or Log4J, are operational in nature and Shared Assessment tools such as the Standardized Information Gathering (SIG) risk questionnaire, and the Standardized Control Assessment (SCA) procedure tool can help to identify and tackle these operational issues. Be sure to prioritize the assessment categories that are of most concern to you such as patch management, system updates, secure code development, managing access to administrative and system accounts across the enterprise, recovery feasibility, and other items critical to the sustainability of the operation.

Final Takeaways

Lastly, the risk management community needs to be aware of “false positives” even in the threat intelligence arena. It’s important to research, partner, and contact reliable sources to make sure you are receiving dependable information that can be shared with all internal and external support teams and partners. Be cautious of media sources that tend to hype or trumpet a particular event without corroborated sources, as these tend to cause a “Chicken Little” reaction within organizations, even over the most benign or least probable cases.

Additionally, be sure to instill “basic blocking and tackling” measures to be followed via a playbook (e.g., procedures), as to address and respond to identified vulnerabilities.

And above all – communicate.  Communicate internally and with all vendors to make sure everyone is on the same page and they’re able to come to the same risk conclusion as you. Only with a true “team” approach between TPRM teams and your service providers can we tackle such issues successfully.

Spring4Shell Info


Tom Garrubba

Tom Garrubba, Vice President, Shared Assessments, is a subject matter expert, consultant, lecturer and author with 20 years of experience in IT risk, security, privacy, audit, and risk. Tom is a beloved instructor of the Certified Third Party Risk Professional (CTPRP) program. Tom is on the Forbes Technology Council and outside of work, Tom is involved with the Civil Air Patrol Squadron 603 and enjoys coaching (softball, baseball) and making music with his kids!


Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics