undefined | Better HN

0 pointsznep3y ago0 comments

Spring4Shell is entirely a flaw in Spring, however is somewhat understandable because it was only exploitable due to a new feature in Java (modules) that added new methods to java.lang.Class, which is a very significant change. You could argue the very existence and nature of Java object serialization deserves blame as well, but that gets nuanced quickly.

Modules are also part of the reason why so many folks got "stuck" on java 8.

It is definitely an interesting study in the challenges of trying to make advances in a platform when a lot of the ecosystem is very much in maintenance mode and may not have a lot of eyes on the combination of existing libraries vs new versions of Java.

0 comments

ragnese3y ago

Agreed. There's definitely space to spread some blame and criticism around, I suppose. And there are plenty of old Java decisions that open the door for these issues.

j / k navigate · click thread line to collapse

0 pointsznep3y ago0 comments

Modules are also part of the reason why so many folks got "stuck" on java 8.

0 comments

ragnese3y ago

Agreed. There's definitely space to spread some blame and criticism around, I suppose. And there are plenty of old Java decisions that open the door for these issues.

j / k navigate · click thread line to collapse