What is SpringShell / Spring4Shell CVE-2022-22965 and how does it affect me?
What is SpringShell?
SpringShell or Spring4Shell was first identified on Wednesday March 30, 2022 and was designated CVE-2022-22965 with an initial CVSS Score of 9.8. CVE-2022-22965 describes how an application using the Spring Framework and running on JDK 9 or later may be vulnerable to remote code execution (RCE) via data binding.
A known exploit requires the application to run on Tomcat as a WAR deployment, however the nature of the vulnerability is more general and there may be other ways to exploit it.
This vulnerability is only active when using JDK 9 and above with the Spring Framework. It takes advantage of a feature introduced in JDK 9 as an attack-vector to bypass an earlier Spring Framework fix for CVE-2010-1622, effectively re-introducing this old vulnerability.
Who does it Affect?
SpringShell affects those who use the Spring Framework on JDK 9 or greater, which includes Long-Term-Support (LTS) releases JDK 11 and JDK 17. If using the Spring Framework on JDK 8 (or below), you are not vulnerable to this exploit.
The versions of Spring Framework affected are:
- versions 5.3.0 to 5.3.17
- versions 5.2.0 to 5.2.19
- most older, unsupported versions are also affected
What can I do if I'm affected?
If you are affected by this vulnerability, it is recommended to upgrade to the latest version of Spring Framework, currently:
NOTE: This SpringShell CVE-2022-22965 should not be confused with an earlier (by a few days) identified Spring Expression Language (SpEL) vulnerability CVE-2022-22963 that impacts Spring Cloud Function. The two are not related.
For more information on SpringShell, please refer to the Spring website or one of the many other resources online, for example this blog is a good starting point. Information is constantly evolving, so this article may not contain the latest updates.
If you have any follow-up questions or concerns, please feel free to email support at azul.com.