Forum Discussion
Frequently Asked Questions about Spring4Shell Vulnerability
Hi @Satnam Narang , @Scott Caveza
We are getting lot of false positives based on Spring version, while the target host is not running JDK9+ or any other prerequisites are not qualified for being vulnerable but tenable is flagging it as vulnerable just based on the spring version which is misleading our investigation and remediation plan.
We can not rely on your product. Either you create reliable detection plugins or improve existing ones to include context for the exploit. Just checking the version and reporting it as vulnerable is not enough and justified. It's misleading.
I would suggest please review your plugins for Spring4Shell and do some context check as well if a host is genuinely vulnerable or not.
There is lot of extra fine tuning correction we are doing after getting tenable report, then what is the benefit of this tool. The version is simply can be detected by any other tool.
Hi Mohd,
We would recommend opening up a support case with our support team to ensure that the engineers working on the plugin development have the information necessary to troubleshoot this case. Additional plugin updates are to be expected as more information becomes available on conditions necessary to exploit this flaw.
