Active exploitation of RCE in Java’s Spring Framework

Updated: 2:30pm, 1 April 2021 to provide the latest information on version upgrades and new vulnerability information

There are two critical RCE vulnerabilities in Java’s Spring Framework.

A new critical Remote Code Execution (RCE) vulnerability (CVE-2022-22963) was discovered in Java’s Spring Cloud Functions. There are patches available for this vulnerability which should be applied to affected systems as soon as possible.
A vulnerability (CVE-2022-22965) in Spring Core that could lead to unauthenticated RCE, has also been discovered. It has been titled by some researchers as “Spring4Shell” or “SpringShell”.

There are reports of proof-of-concept code and active exploitation for both vulnerabilities.

What to look for

For CVE-2022-22963, you’re at risk if you are using Spring Cloud versions earlier than:

For CVE-2022-22965, Spring4Shell, you’re at risk if you are using Spring Core:

For Spring4Shell vulnerability, you’re at risk if you are using:

JDK9 and above
Spring-Beans package
Spring parameter binding
Spring parameter binding that uses non-basic parameter types, such as general POJOs

For Spring4Shell you can check if you vulnerable using the Vulnerability scanner External Link

For CVE-2022-22963 upgrade to Spring Cloud Function version:

For CVE-2022-22965 upgrade to Spring Core with Framework version:

For Spring4Shell vulnerability:

On your Web Application Firewall, implement filtering and monitoring rules referencing “class” ("class.*", "*.class.*", "Class.*", and "*.Class.*")
If you use YARA, check this page on how to detect Spring4Shell: YARA rules to detect Spring4Shell related activities External Link
Monitor Lunasec's blog for latest updates on further mitigation measures: Lunasec's blog summary of both Spring vulnerabilities External Link

Monitor latest updates for further mitigation measures:

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.