Spring: 2 RCE Vulnerabilities, 1 Zero-Day

March 31, 2022

 Spring: 2 RCE Vulnerabilities, 1 Zero-Day

Multiple sources have reported of 2 remote code execution vulnerabilities.

One RCE affects ‘Spring Cloud Function’, and the second RCE is a critical zero-day vulnerability dubbed ‘Spring4Shell‘, affecting ‘Spring Core’ with JDK version 9.0 or newer, running specific configurations.

Currently, the ‘Spring4Shell’ vulnerability has only a workaround available.

Spring is a subsidiary of VMware. It offers development services through several platforms. ‘Spring Framework’ is an application framework and inversion of control container for the Java platform. ‘Spring Cloud’ is a cloud application development platform.

The Vulnerabilities

  • CVE-2022-22963, Medium Severity – In ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in access to local resources. This vulnerability is exploitable remotely and no privileges are required.
  • Spring4ShellCritical – In ‘Spring Core’ with JDK 9.0 or newer, and in specific configurations, due to an unsafe deserialization of passed arguments, it is possible to plant a webshell on vulnerable systems using a POST request, which leads to remote code execution.

Affected Products

Products affected by CVE-2022-22963:

  • ‘Spring Cloud Function’ versions 3.1.6, 3.2.2 and older, unsupported versions.

Products affected by Spring4Shell:

  • ‘Spring Core’, with JDK versions 9.0 or newer with ‘DataBinder’ enabled, or other vulnerable configurations that are not yet discovered.



CYREBRO recommends upgrading to ‘Spring Cloud Function’ to versions 3.1.7 or 3.2.3 to fully mitigate the vulnerability.


for ‘Spring4Shell’

As a temporary workaround of the vulnerability, CYREBRO recommends creating a ‘ControllerAdvice’ component (a Spring component shared across Controllers) and adding the following patterns to the denylist:

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
public class BinderControllerAdvice {
    public void setAllowedFields(WebDataBinder dataBinder) {
         String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};

CYREBRO will continue monitoring the vulnerability and update with any relevant developments.

References: VMware advisory, Bleeping Computer

Sign Up for Updates