Search This Site


Main menu

Critical Vulnerability in Spring Java framework

Thursday, March 31, 2022 - 16:30

Action Needed: Critical Vulnerability in Spring Java framework


Threat: CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

UPDATE 4/8/2022:  Trend Micro Threat Research today confirmed that this Spring4Shell vulnerability has been exploited by the Mirai botnet

From the Spring advisory: “The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.” [emphasis added]
Although the announcement lists specific currently-known requirements for whether a specific installation is vulnerable, it goes on to say ” the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.” Continue to monitor the situation no matter what specific Spring configuration you may use.LSPs need to do the following immediately:

  • identity whether they support any server systems running the Spring Framework for Java
  • mitigate the issue as described in the Spring advisory

Permanent mitigation:

  • Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released

  • Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.

Temporary mitigation:

  • The Spring advisory contains a multistep workaround for those not able to install the patched versions, but warns that the workaround may leave some loopholes.

More information:

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form