1 April 2022 [NO.TCSA : 20220401-1-1-P]
Security researchers have found a critical security flaw that can lead to remote code execution in the popular Java Spring Framework. The vulnerability was assigned with CVE-2022-22965 with CVSSv3 base score of 9.8 which indicates severity is critical. However, applications are required to be in a special setup for exploitation of Sping4Shell with current available public exploits.
Prerequisites for the exploit:
The applications are not vulnerable to the exploit if they are deployed as a Spring Boot executable jar, which is the default. However, the vulnerability is more widespread, and there may be further ways to exploit it.
Spring Framework
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. There are other mitigation options available that can find More Information section of the alert.