Spring Java framework zero-day disclosed: CVE-2022-22965

Brock Bingham candid headshot
Brock Bingham|March 31, 2022
Spring Java framework vulnerability disclosed.
Spring Java framework vulnerability disclosed.

Hot off the heels of the recent Chrome zero-day exploit, Spring, the popular Java framework designed to help developers build Java-based applications, has disclosed a zero-day vulnerability affecting its platform, referred to online as Spring4Shell.

Prior to CVE-2022-22965 being published, full details of the vulnerability were leaked online, leaving developers scrambling to address the issue.

Are you impacted?

The requirements for the vulnerability are very specific, potentially minimizing the impact on users, however, if you utilize the Spring framework you'll definitely want to ensure your systems are safe. Here are the requirements according to Spring.io:

  • JDK 9 or higher

  • Apache Tomcat as the Servlet container

  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)

  • spring-webmvc or spring-webflux dependency

  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Even if you do not meet these prerequisites, it's important to keep in mind that the details of this exploit are very new, and certain aspects of the vulnerability may still be unknown at this time. 

From Spring:

The nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

What to do if you're affected by Spring4Shell

If you are impacted by this vulnerability, it is highly recommended that you update to the latest Spring Framework versions, which have just been released. Users currently running version 5.2* should upgrade to 5.2.20+, and users running version 5.3* should upgrade to version 5.3.18+.

Again, the information surrounding this vulnerability is very new, and other attack vectors and prerequisites may be unknown at this point. Even if you've implemented the recommended upgrades, it's critical to keep an eye on this vulnerability as new information becomes available.

PDQ is dedicated to helping IT teams keep their networks secure. To stay up to date with the latest information regarding this vulnerability, bookmark this article which will be updated with any new relevant information as it becomes available.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles