IT Professionals:
On March 29, a pair of Remote Code Executions were discovered within the Spring Core Java library, dubbed “Spring4Shell” [1]. Currently, the vulnerability is only exploitable under limited non-default conditions. Please check the systems that you are responsible for that meet the following conditions.
- Java applications running on JDK 9 or higher;
- Java applications running Spring versions through to 5.3.17 or 5.2.19.
Patches are now available for Spring4Shell in Spring versions 5.3.18 and 5.2.20 and official CVEs have been published as CVE-2022-22965 [2] and CVE-2022-22963 [3]. For more information, please see the official release from the Spring team [4].
–IT Community Partnerships on behalf of the University Information Security Office
[1] https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
[2] https://tanzu.vmware.com/security/cve-2022-22965
[3] https://tanzu.vmware.com/security/cve-2022-22963
[4] https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement